Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-2187
Vulnerability from csaf_certbund
Published
2025-10-01 22:00
Modified
2025-10-15 22:00
Summary
Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen und um nicht nähere beschriebene Effekte zu verursachen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren und um nicht n\u00e4here beschriebene Effekte zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2187 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2187.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2187 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2187"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2021-4460",
"url": "https://lore.kernel.org/linux-cve-announce/2025100114-CVE-2021-4460-aa71@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50420",
"url": "https://lore.kernel.org/linux-cve-announce/2025100152-CVE-2022-50420-1d36@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50421",
"url": "https://lore.kernel.org/linux-cve-announce/2025100155-CVE-2022-50421-8bdc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50422",
"url": "https://lore.kernel.org/linux-cve-announce/2025100155-CVE-2022-50422-287b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50423",
"url": "https://lore.kernel.org/linux-cve-announce/2025100155-CVE-2022-50423-5a66@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50424",
"url": "https://lore.kernel.org/linux-cve-announce/2025100156-CVE-2022-50424-049f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50425",
"url": "https://lore.kernel.org/linux-cve-announce/2025100156-CVE-2022-50425-6722@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50426",
"url": "https://lore.kernel.org/linux-cve-announce/2025100156-CVE-2022-50426-a61b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50427",
"url": "https://lore.kernel.org/linux-cve-announce/2025100157-CVE-2022-50427-87b9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50428",
"url": "https://lore.kernel.org/linux-cve-announce/2025100157-CVE-2022-50428-0c76@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50429",
"url": "https://lore.kernel.org/linux-cve-announce/2025100157-CVE-2022-50429-4bc6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50430",
"url": "https://lore.kernel.org/linux-cve-announce/2025100157-CVE-2022-50430-568d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50431",
"url": "https://lore.kernel.org/linux-cve-announce/2025100158-CVE-2022-50431-b165@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50432",
"url": "https://lore.kernel.org/linux-cve-announce/2025100158-CVE-2022-50432-bb35@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50433",
"url": "https://lore.kernel.org/linux-cve-announce/2025100158-CVE-2022-50433-440b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50434",
"url": "https://lore.kernel.org/linux-cve-announce/2025100159-CVE-2022-50434-e4db@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50435",
"url": "https://lore.kernel.org/linux-cve-announce/2025100159-CVE-2022-50435-f6c4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50436",
"url": "https://lore.kernel.org/linux-cve-announce/2025100159-CVE-2022-50436-ad37@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50437",
"url": "https://lore.kernel.org/linux-cve-announce/2025100100-CVE-2022-50437-440f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50438",
"url": "https://lore.kernel.org/linux-cve-announce/2025100100-CVE-2022-50438-1760@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50439",
"url": "https://lore.kernel.org/linux-cve-announce/2025100100-CVE-2022-50439-6054@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50440",
"url": "https://lore.kernel.org/linux-cve-announce/2025100101-CVE-2022-50440-1afd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50441",
"url": "https://lore.kernel.org/linux-cve-announce/2025100101-CVE-2022-50441-e2e2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50442",
"url": "https://lore.kernel.org/linux-cve-announce/2025100101-CVE-2022-50442-c0fe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50443",
"url": "https://lore.kernel.org/linux-cve-announce/2025100102-CVE-2022-50443-c1d5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50444",
"url": "https://lore.kernel.org/linux-cve-announce/2025100102-CVE-2022-50444-9b11@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50445",
"url": "https://lore.kernel.org/linux-cve-announce/2025100115-CVE-2022-50445-5873@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50446",
"url": "https://lore.kernel.org/linux-cve-announce/2025100115-CVE-2022-50446-94be@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50447",
"url": "https://lore.kernel.org/linux-cve-announce/2025100115-CVE-2022-50447-4de6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50448",
"url": "https://lore.kernel.org/linux-cve-announce/2025100116-CVE-2022-50448-922e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50449",
"url": "https://lore.kernel.org/linux-cve-announce/2025100116-CVE-2022-50449-214c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50450",
"url": "https://lore.kernel.org/linux-cve-announce/2025100116-CVE-2022-50450-7ef7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50451",
"url": "https://lore.kernel.org/linux-cve-announce/2025100117-CVE-2022-50451-418f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50452",
"url": "https://lore.kernel.org/linux-cve-announce/2025100117-CVE-2022-50452-055d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50453",
"url": "https://lore.kernel.org/linux-cve-announce/2025100117-CVE-2022-50453-204a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50454",
"url": "https://lore.kernel.org/linux-cve-announce/2025100118-CVE-2022-50454-9c7d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50455",
"url": "https://lore.kernel.org/linux-cve-announce/2025100118-CVE-2022-50455-24fb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50456",
"url": "https://lore.kernel.org/linux-cve-announce/2025100118-CVE-2022-50456-f0d6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50457",
"url": "https://lore.kernel.org/linux-cve-announce/2025100118-CVE-2022-50457-da35@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50458",
"url": "https://lore.kernel.org/linux-cve-announce/2025100119-CVE-2022-50458-4fa8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50459",
"url": "https://lore.kernel.org/linux-cve-announce/2025100119-CVE-2022-50459-2340@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50460",
"url": "https://lore.kernel.org/linux-cve-announce/2025100119-CVE-2022-50460-2149@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50461",
"url": "https://lore.kernel.org/linux-cve-announce/2025100120-CVE-2022-50461-5ee8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50462",
"url": "https://lore.kernel.org/linux-cve-announce/2025100120-CVE-2022-50462-a935@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50463",
"url": "https://lore.kernel.org/linux-cve-announce/2025100120-CVE-2022-50463-9ae6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50464",
"url": "https://lore.kernel.org/linux-cve-announce/2025100121-CVE-2022-50464-3c96@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50465",
"url": "https://lore.kernel.org/linux-cve-announce/2025100121-CVE-2022-50465-fb12@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50466",
"url": "https://lore.kernel.org/linux-cve-announce/2025100121-CVE-2022-50466-b59c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50467",
"url": "https://lore.kernel.org/linux-cve-announce/2025100122-CVE-2022-50467-13ec@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50468",
"url": "https://lore.kernel.org/linux-cve-announce/2025100122-CVE-2022-50468-3196@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50469",
"url": "https://lore.kernel.org/linux-cve-announce/2025100122-CVE-2022-50469-bbc4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53448",
"url": "https://lore.kernel.org/linux-cve-announce/2025100102-CVE-2023-53448-e125@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53449",
"url": "https://lore.kernel.org/linux-cve-announce/2025100103-CVE-2023-53449-b49f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53450",
"url": "https://lore.kernel.org/linux-cve-announce/2025100103-CVE-2023-53450-35c4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53451",
"url": "https://lore.kernel.org/linux-cve-announce/2025100103-CVE-2023-53451-bb02@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53452",
"url": "https://lore.kernel.org/linux-cve-announce/2025100104-CVE-2023-53452-f6e5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53453",
"url": "https://lore.kernel.org/linux-cve-announce/2025100104-CVE-2023-53453-c36d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53454",
"url": "https://lore.kernel.org/linux-cve-announce/2025100104-CVE-2023-53454-5ee6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53455",
"url": "https://lore.kernel.org/linux-cve-announce/2025100104-CVE-2023-53455-3efb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53456",
"url": "https://lore.kernel.org/linux-cve-announce/2025100105-CVE-2023-53456-b77a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53457",
"url": "https://lore.kernel.org/linux-cve-announce/2025100105-CVE-2023-53457-629a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53458",
"url": "https://lore.kernel.org/linux-cve-announce/2025100105-CVE-2023-53458-8239@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53459",
"url": "https://lore.kernel.org/linux-cve-announce/2025100106-CVE-2023-53459-48f3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53460",
"url": "https://lore.kernel.org/linux-cve-announce/2025100106-CVE-2023-53460-cdc8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53461",
"url": "https://lore.kernel.org/linux-cve-announce/2025100106-CVE-2023-53461-b02b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53462",
"url": "https://lore.kernel.org/linux-cve-announce/2025100107-CVE-2023-53462-7a33@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53463",
"url": "https://lore.kernel.org/linux-cve-announce/2025100107-CVE-2023-53463-49fd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53464",
"url": "https://lore.kernel.org/linux-cve-announce/2025100107-CVE-2023-53464-a397@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53465",
"url": "https://lore.kernel.org/linux-cve-announce/2025100108-CVE-2023-53465-eb0b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53466",
"url": "https://lore.kernel.org/linux-cve-announce/2025100108-CVE-2023-53466-dcff@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53467",
"url": "https://lore.kernel.org/linux-cve-announce/2025100108-CVE-2023-53467-fa4b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53468",
"url": "https://lore.kernel.org/linux-cve-announce/2025100109-CVE-2023-53468-8dea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53469",
"url": "https://lore.kernel.org/linux-cve-announce/2025100109-CVE-2023-53469-e372@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53470",
"url": "https://lore.kernel.org/linux-cve-announce/2025100109-CVE-2023-53470-8c6a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53471",
"url": "https://lore.kernel.org/linux-cve-announce/2025100110-CVE-2023-53471-09f6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53472",
"url": "https://lore.kernel.org/linux-cve-announce/2025100110-CVE-2023-53472-93cb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53473",
"url": "https://lore.kernel.org/linux-cve-announce/2025100110-CVE-2023-53473-bf5d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53474",
"url": "https://lore.kernel.org/linux-cve-announce/2025100110-CVE-2023-53474-b2ae@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53475",
"url": "https://lore.kernel.org/linux-cve-announce/2025100111-CVE-2023-53475-b007@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53476",
"url": "https://lore.kernel.org/linux-cve-announce/2025100111-CVE-2023-53476-d6d3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53477",
"url": "https://lore.kernel.org/linux-cve-announce/2025100111-CVE-2023-53477-93d5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53478",
"url": "https://lore.kernel.org/linux-cve-announce/2025100112-CVE-2023-53478-3da0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53479",
"url": "https://lore.kernel.org/linux-cve-announce/2025100112-CVE-2023-53479-5c70@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53480",
"url": "https://lore.kernel.org/linux-cve-announce/2025100112-CVE-2023-53480-95ab@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53481",
"url": "https://lore.kernel.org/linux-cve-announce/2025100113-CVE-2023-53481-cddb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53482",
"url": "https://lore.kernel.org/linux-cve-announce/2025100113-CVE-2023-53482-ade3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53483",
"url": "https://lore.kernel.org/linux-cve-announce/2025100113-CVE-2023-53483-cf50@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53484",
"url": "https://lore.kernel.org/linux-cve-announce/2025100114-CVE-2023-53484-d863@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53485",
"url": "https://lore.kernel.org/linux-cve-announce/2025100114-CVE-2023-53485-672c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53486",
"url": "https://lore.kernel.org/linux-cve-announce/2025100114-CVE-2023-53486-455f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53487",
"url": "https://lore.kernel.org/linux-cve-announce/2025100115-CVE-2023-53487-c3f7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53488",
"url": "https://lore.kernel.org/linux-cve-announce/2025100123-CVE-2023-53488-2533@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53489",
"url": "https://lore.kernel.org/linux-cve-announce/2025100123-CVE-2023-53489-eec5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53490",
"url": "https://lore.kernel.org/linux-cve-announce/2025100123-CVE-2023-53490-c90f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53491",
"url": "https://lore.kernel.org/linux-cve-announce/2025100123-CVE-2023-53491-2d8b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53492",
"url": "https://lore.kernel.org/linux-cve-announce/2025100124-CVE-2023-53492-18fd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53493",
"url": "https://lore.kernel.org/linux-cve-announce/2025100124-CVE-2023-53493-ef00@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53494",
"url": "https://lore.kernel.org/linux-cve-announce/2025100124-CVE-2023-53494-6542@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53495",
"url": "https://lore.kernel.org/linux-cve-announce/2025100125-CVE-2023-53495-3cce@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53496",
"url": "https://lore.kernel.org/linux-cve-announce/2025100125-CVE-2023-53496-b145@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53497",
"url": "https://lore.kernel.org/linux-cve-announce/2025100125-CVE-2023-53497-e3a3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53498",
"url": "https://lore.kernel.org/linux-cve-announce/2025100126-CVE-2023-53498-3f4e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53499",
"url": "https://lore.kernel.org/linux-cve-announce/2025100126-CVE-2023-53499-0e6a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53500",
"url": "https://lore.kernel.org/linux-cve-announce/2025100126-CVE-2023-53500-61b6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53501",
"url": "https://lore.kernel.org/linux-cve-announce/2025100127-CVE-2023-53501-5859@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53502",
"url": "https://lore.kernel.org/linux-cve-announce/2025100127-CVE-2023-53502-aa6a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53503",
"url": "https://lore.kernel.org/linux-cve-announce/2025100127-CVE-2023-53503-d86c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53504",
"url": "https://lore.kernel.org/linux-cve-announce/2025100128-CVE-2023-53504-ccc8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53505",
"url": "https://lore.kernel.org/linux-cve-announce/2025100128-CVE-2023-53505-69f3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53506",
"url": "https://lore.kernel.org/linux-cve-announce/2025100128-CVE-2023-53506-2778@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53507",
"url": "https://lore.kernel.org/linux-cve-announce/2025100129-CVE-2023-53507-1165@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53508",
"url": "https://lore.kernel.org/linux-cve-announce/2025100129-CVE-2023-53508-20d7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53509",
"url": "https://lore.kernel.org/linux-cve-announce/2025100129-CVE-2023-53509-2b4c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53510",
"url": "https://lore.kernel.org/linux-cve-announce/2025100130-CVE-2023-53510-9e6a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53511",
"url": "https://lore.kernel.org/linux-cve-announce/2025100130-CVE-2023-53511-99e8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53512",
"url": "https://lore.kernel.org/linux-cve-announce/2025100130-CVE-2023-53512-10c7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53513",
"url": "https://lore.kernel.org/linux-cve-announce/2025100130-CVE-2023-53513-4667@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53514",
"url": "https://lore.kernel.org/linux-cve-announce/2025100131-CVE-2023-53514-bcd5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53515",
"url": "https://lore.kernel.org/linux-cve-announce/2025100131-CVE-2023-53515-abe8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53516",
"url": "https://lore.kernel.org/linux-cve-announce/2025100131-CVE-2023-53516-ca63@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53517",
"url": "https://lore.kernel.org/linux-cve-announce/2025100132-CVE-2023-53517-da77@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53518",
"url": "https://lore.kernel.org/linux-cve-announce/2025100132-CVE-2023-53518-64e1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53519",
"url": "https://lore.kernel.org/linux-cve-announce/2025100132-CVE-2023-53519-de9d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53520",
"url": "https://lore.kernel.org/linux-cve-announce/2025100133-CVE-2023-53520-a542@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53521",
"url": "https://lore.kernel.org/linux-cve-announce/2025100133-CVE-2023-53521-15e2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53522",
"url": "https://lore.kernel.org/linux-cve-announce/2025100133-CVE-2023-53522-4e19@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53523",
"url": "https://lore.kernel.org/linux-cve-announce/2025100134-CVE-2023-53523-f4d4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53524",
"url": "https://lore.kernel.org/linux-cve-announce/2025100134-CVE-2023-53524-d438@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53525",
"url": "https://lore.kernel.org/linux-cve-announce/2025100134-CVE-2023-53525-ee57@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53526",
"url": "https://lore.kernel.org/linux-cve-announce/2025100135-CVE-2023-53526-ee71@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53527",
"url": "https://lore.kernel.org/linux-cve-announce/2025100135-CVE-2023-53527-3ce7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53528",
"url": "https://lore.kernel.org/linux-cve-announce/2025100135-CVE-2023-53528-0572@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53529",
"url": "https://lore.kernel.org/linux-cve-announce/2025100136-CVE-2023-53529-db9a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53530",
"url": "https://lore.kernel.org/linux-cve-announce/2025100136-CVE-2023-53530-853b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53531",
"url": "https://lore.kernel.org/linux-cve-announce/2025100136-CVE-2023-53531-3c7c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53532",
"url": "https://lore.kernel.org/linux-cve-announce/2025100137-CVE-2023-53532-1627@gregkh/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03613-1 vom 2025-10-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022915.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03614-1 vom 2025-10-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022911.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03615-1 vom 2025-10-16",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BVPLWRQN6MVKFQDJSEKN2JP6PMSGIO4Q/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03600-1 vom 2025-10-15",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VHWHH7ZSMFJ6PQZ3CBDGGCWHNBCWD26Z/"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
"tracking": {
"current_release_date": "2025-10-15T22:00:00.000+00:00",
"generator": {
"date": "2025-10-16T09:43:51.720+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2187",
"initial_release_date": "2025-10-01T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-01T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-10-15T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T028462",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:unspecified"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-4460",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2021-4460"
},
{
"cve": "CVE-2022-50420",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50420"
},
{
"cve": "CVE-2022-50421",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50421"
},
{
"cve": "CVE-2022-50422",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50422"
},
{
"cve": "CVE-2022-50423",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50423"
},
{
"cve": "CVE-2022-50424",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50424"
},
{
"cve": "CVE-2022-50425",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50425"
},
{
"cve": "CVE-2022-50426",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50426"
},
{
"cve": "CVE-2022-50427",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50427"
},
{
"cve": "CVE-2022-50428",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50428"
},
{
"cve": "CVE-2022-50429",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50429"
},
{
"cve": "CVE-2022-50430",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50430"
},
{
"cve": "CVE-2022-50431",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50431"
},
{
"cve": "CVE-2022-50432",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50432"
},
{
"cve": "CVE-2022-50433",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50433"
},
{
"cve": "CVE-2022-50434",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50434"
},
{
"cve": "CVE-2022-50435",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50435"
},
{
"cve": "CVE-2022-50436",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50436"
},
{
"cve": "CVE-2022-50437",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50437"
},
{
"cve": "CVE-2022-50438",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50438"
},
{
"cve": "CVE-2022-50439",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50439"
},
{
"cve": "CVE-2022-50440",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50440"
},
{
"cve": "CVE-2022-50441",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50441"
},
{
"cve": "CVE-2022-50442",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50442"
},
{
"cve": "CVE-2022-50443",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50443"
},
{
"cve": "CVE-2022-50444",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50444"
},
{
"cve": "CVE-2022-50445",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50445"
},
{
"cve": "CVE-2022-50446",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50446"
},
{
"cve": "CVE-2022-50447",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50447"
},
{
"cve": "CVE-2022-50448",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50448"
},
{
"cve": "CVE-2022-50449",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50449"
},
{
"cve": "CVE-2022-50450",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50450"
},
{
"cve": "CVE-2022-50451",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50451"
},
{
"cve": "CVE-2022-50452",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50452"
},
{
"cve": "CVE-2022-50453",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50453"
},
{
"cve": "CVE-2022-50454",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50454"
},
{
"cve": "CVE-2022-50455",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50455"
},
{
"cve": "CVE-2022-50456",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50456"
},
{
"cve": "CVE-2022-50457",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50457"
},
{
"cve": "CVE-2022-50458",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50458"
},
{
"cve": "CVE-2022-50459",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50459"
},
{
"cve": "CVE-2022-50460",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50460"
},
{
"cve": "CVE-2022-50461",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50461"
},
{
"cve": "CVE-2022-50462",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50462"
},
{
"cve": "CVE-2022-50463",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50463"
},
{
"cve": "CVE-2022-50464",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50464"
},
{
"cve": "CVE-2022-50465",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50465"
},
{
"cve": "CVE-2022-50466",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50466"
},
{
"cve": "CVE-2022-50467",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50467"
},
{
"cve": "CVE-2022-50468",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50468"
},
{
"cve": "CVE-2022-50469",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2022-50469"
},
{
"cve": "CVE-2023-34319",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-34319"
},
{
"cve": "CVE-2023-3773",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-3773"
},
{
"cve": "CVE-2023-53448",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53448"
},
{
"cve": "CVE-2023-53449",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53449"
},
{
"cve": "CVE-2023-53450",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53450"
},
{
"cve": "CVE-2023-53451",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53451"
},
{
"cve": "CVE-2023-53452",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53452"
},
{
"cve": "CVE-2023-53453",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53453"
},
{
"cve": "CVE-2023-53454",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53454"
},
{
"cve": "CVE-2023-53455",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53455"
},
{
"cve": "CVE-2023-53456",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53456"
},
{
"cve": "CVE-2023-53457",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53457"
},
{
"cve": "CVE-2023-53458",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53458"
},
{
"cve": "CVE-2023-53459",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53459"
},
{
"cve": "CVE-2023-53460",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53460"
},
{
"cve": "CVE-2023-53461",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53461"
},
{
"cve": "CVE-2023-53462",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53462"
},
{
"cve": "CVE-2023-53463",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53463"
},
{
"cve": "CVE-2023-53464",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53464"
},
{
"cve": "CVE-2023-53465",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53465"
},
{
"cve": "CVE-2023-53466",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53466"
},
{
"cve": "CVE-2023-53467",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53467"
},
{
"cve": "CVE-2023-53468",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53468"
},
{
"cve": "CVE-2023-53469",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53469"
},
{
"cve": "CVE-2023-53470",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53470"
},
{
"cve": "CVE-2023-53471",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53471"
},
{
"cve": "CVE-2023-53472",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53472"
},
{
"cve": "CVE-2023-53473",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53473"
},
{
"cve": "CVE-2023-53474",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53474"
},
{
"cve": "CVE-2023-53475",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53475"
},
{
"cve": "CVE-2023-53476",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53476"
},
{
"cve": "CVE-2023-53477",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53477"
},
{
"cve": "CVE-2023-53478",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53478"
},
{
"cve": "CVE-2023-53479",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53479"
},
{
"cve": "CVE-2023-53480",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53480"
},
{
"cve": "CVE-2023-53481",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53481"
},
{
"cve": "CVE-2023-53482",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53482"
},
{
"cve": "CVE-2023-53483",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53483"
},
{
"cve": "CVE-2023-53484",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53484"
},
{
"cve": "CVE-2023-53485",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53485"
},
{
"cve": "CVE-2023-53486",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53486"
},
{
"cve": "CVE-2023-53487",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53487"
},
{
"cve": "CVE-2023-53488",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53488"
},
{
"cve": "CVE-2023-53489",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53489"
},
{
"cve": "CVE-2023-53490",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53490"
},
{
"cve": "CVE-2023-53491",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53491"
},
{
"cve": "CVE-2023-53492",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53492"
},
{
"cve": "CVE-2023-53493",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53493"
},
{
"cve": "CVE-2023-53494",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53494"
},
{
"cve": "CVE-2023-53495",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53495"
},
{
"cve": "CVE-2023-53496",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53496"
},
{
"cve": "CVE-2023-53497",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53497"
},
{
"cve": "CVE-2023-53498",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53498"
},
{
"cve": "CVE-2023-53499",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53499"
},
{
"cve": "CVE-2023-53500",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53500"
},
{
"cve": "CVE-2023-53501",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53501"
},
{
"cve": "CVE-2023-53502",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53502"
},
{
"cve": "CVE-2023-53503",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53503"
},
{
"cve": "CVE-2023-53504",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53504"
},
{
"cve": "CVE-2023-53505",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53505"
},
{
"cve": "CVE-2023-53506",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53506"
},
{
"cve": "CVE-2023-53507",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53507"
},
{
"cve": "CVE-2023-53508",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53508"
},
{
"cve": "CVE-2023-53509",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53509"
},
{
"cve": "CVE-2023-53510",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53510"
},
{
"cve": "CVE-2023-53511",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53511"
},
{
"cve": "CVE-2023-53512",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53512"
},
{
"cve": "CVE-2023-53513",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53513"
},
{
"cve": "CVE-2023-53514",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53514"
},
{
"cve": "CVE-2023-53515",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53515"
},
{
"cve": "CVE-2023-53516",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53516"
},
{
"cve": "CVE-2023-53517",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53517"
},
{
"cve": "CVE-2023-53518",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53518"
},
{
"cve": "CVE-2023-53519",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53519"
},
{
"cve": "CVE-2023-53520",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53520"
},
{
"cve": "CVE-2023-53521",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53521"
},
{
"cve": "CVE-2023-53522",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53522"
},
{
"cve": "CVE-2023-53523",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53523"
},
{
"cve": "CVE-2023-53524",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53524"
},
{
"cve": "CVE-2023-53525",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53525"
},
{
"cve": "CVE-2023-53526",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53526"
},
{
"cve": "CVE-2023-53527",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53527"
},
{
"cve": "CVE-2023-53528",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53528"
},
{
"cve": "CVE-2023-53529",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53529"
},
{
"cve": "CVE-2023-53530",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53530"
},
{
"cve": "CVE-2023-53531",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53531"
},
{
"cve": "CVE-2023-53532",
"product_status": {
"known_affected": [
"T028462",
"T002207"
]
},
"release_date": "2025-10-01T22:00:00.000+00:00",
"title": "CVE-2023-53532"
}
]
}
CVE-2022-50454 (GCVE-0-2022-50454)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code
back to the caller. On failures, ttm will call nouveau_bo_del_ttm() and
free the memory.Thus, when nouveau_bo_init() returns an error, the gem
object has already been released. Then the call to nouveau_bo_ref() will
use the freed "nvbo->bo" and lead to a use-after-free bug.
We should delete the call to nouveau_bo_ref() to avoid the use-after-free.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 019cbd4a4feb3aa3a917d78e7110e3011bbff6d5 Version: 019cbd4a4feb3aa3a917d78e7110e3011bbff6d5 Version: 019cbd4a4feb3aa3a917d78e7110e3011bbff6d5 Version: 019cbd4a4feb3aa3a917d78e7110e3011bbff6d5 Version: 019cbd4a4feb3aa3a917d78e7110e3011bbff6d5 Version: 019cbd4a4feb3aa3a917d78e7110e3011bbff6d5 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_prime.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56ee9577915dc06f55309901012a9ef68dbdb5a8",
"status": "affected",
"version": "019cbd4a4feb3aa3a917d78e7110e3011bbff6d5",
"versionType": "git"
},
{
"lessThan": "5d6093c49c098d86c7b136aba9922df44aeb6944",
"status": "affected",
"version": "019cbd4a4feb3aa3a917d78e7110e3011bbff6d5",
"versionType": "git"
},
{
"lessThan": "861f085f81fd569b02cc2c11165a9e6cca144424",
"status": "affected",
"version": "019cbd4a4feb3aa3a917d78e7110e3011bbff6d5",
"versionType": "git"
},
{
"lessThan": "3aeda2fe6517cc52663d4ce3588dd43f0d4124a7",
"status": "affected",
"version": "019cbd4a4feb3aa3a917d78e7110e3011bbff6d5",
"versionType": "git"
},
{
"lessThan": "7d80473e9f12548ac05b36af4fb9ce80f2f73509",
"status": "affected",
"version": "019cbd4a4feb3aa3a917d78e7110e3011bbff6d5",
"versionType": "git"
},
{
"lessThan": "540dfd188ea2940582841c1c220bd035a7db0e51",
"status": "affected",
"version": "019cbd4a4feb3aa3a917d78e7110e3011bbff6d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_prime.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()\n\nnouveau_bo_init() is backed by ttm_bo_init() and ferries its return code\nback to the caller. On failures, ttm will call nouveau_bo_del_ttm() and\nfree the memory.Thus, when nouveau_bo_init() returns an error, the gem\nobject has already been released. Then the call to nouveau_bo_ref() will\nuse the freed \"nvbo-\u003ebo\" and lead to a use-after-free bug.\n\nWe should delete the call to nouveau_bo_ref() to avoid the use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:27.337Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56ee9577915dc06f55309901012a9ef68dbdb5a8"
},
{
"url": "https://git.kernel.org/stable/c/5d6093c49c098d86c7b136aba9922df44aeb6944"
},
{
"url": "https://git.kernel.org/stable/c/861f085f81fd569b02cc2c11165a9e6cca144424"
},
{
"url": "https://git.kernel.org/stable/c/3aeda2fe6517cc52663d4ce3588dd43f0d4124a7"
},
{
"url": "https://git.kernel.org/stable/c/7d80473e9f12548ac05b36af4fb9ce80f2f73509"
},
{
"url": "https://git.kernel.org/stable/c/540dfd188ea2940582841c1c220bd035a7db0e51"
}
],
"title": "drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50454",
"datePublished": "2025-10-01T11:45:27.337Z",
"dateReserved": "2025-10-01T11:38:45.640Z",
"dateUpdated": "2025-10-01T11:45:27.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53481 (GCVE-0-2023-53481)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
Following process will trigger an infinite loop in ubi_wl_put_peb():
ubifs_bgt ubi_bgt
ubifs_leb_unmap
ubi_leb_unmap
ubi_eba_unmap_leb
ubi_wl_put_peb wear_leveling_worker
e1 = rb_entry(rb_first(&ubi->used)
e2 = get_peb_for_wl(ubi)
ubi_io_read_vid_hdr // return err (flash fault)
out_error:
ubi->move_from = ubi->move_to = NULL
wl_entry_destroy(ubi, e1)
ubi->lookuptbl[e->pnum] = NULL
retry:
e = ubi->lookuptbl[pnum]; // return NULL
if (e == ubi->move_from) { // NULL == NULL gets true
goto retry; // infinite loop !!!
$ top
PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND
7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0
Fix it by:
1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has
been removed from 'ubi->lookuptbl'.
2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an
use-after-free problem for wl entry in ubi_wl_put_peb().
Fetch a reproducer in [Link].
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 43f9b25a9cdd7b177f77f026b1461abd1abbd174 Version: 43f9b25a9cdd7b177f77f026b1461abd1abbd174 Version: 43f9b25a9cdd7b177f77f026b1461abd1abbd174 Version: 43f9b25a9cdd7b177f77f026b1461abd1abbd174 Version: 43f9b25a9cdd7b177f77f026b1461abd1abbd174 Version: 43f9b25a9cdd7b177f77f026b1461abd1abbd174 Version: 43f9b25a9cdd7b177f77f026b1461abd1abbd174 Version: 43f9b25a9cdd7b177f77f026b1461abd1abbd174 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/ubi/wl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b40d2fbf47af58377e898b5062077a47bb28a132",
"status": "affected",
"version": "43f9b25a9cdd7b177f77f026b1461abd1abbd174",
"versionType": "git"
},
{
"lessThan": "f006f596fe851c3b6aae60b79f89f89f0e515d2f",
"status": "affected",
"version": "43f9b25a9cdd7b177f77f026b1461abd1abbd174",
"versionType": "git"
},
{
"lessThan": "b5be23f6ae610bdb262160a1f294afee6d0e6a69",
"status": "affected",
"version": "43f9b25a9cdd7b177f77f026b1461abd1abbd174",
"versionType": "git"
},
{
"lessThan": "8a18856e074479bd050b01e688c58defadce7ab0",
"status": "affected",
"version": "43f9b25a9cdd7b177f77f026b1461abd1abbd174",
"versionType": "git"
},
{
"lessThan": "3afaaf6f5867dc4ad383808d4053f428ec7b867d",
"status": "affected",
"version": "43f9b25a9cdd7b177f77f026b1461abd1abbd174",
"versionType": "git"
},
{
"lessThan": "cc4bc532acda66189bddc03b3fe1ad689d9a48a2",
"status": "affected",
"version": "43f9b25a9cdd7b177f77f026b1461abd1abbd174",
"versionType": "git"
},
{
"lessThan": "5af1c643184a5d09ff5b3f334077a4d0a163c677",
"status": "affected",
"version": "43f9b25a9cdd7b177f77f026b1461abd1abbd174",
"versionType": "git"
},
{
"lessThan": "4d57a7333e26040f2b583983e1970d9d460e56b0",
"status": "affected",
"version": "43f9b25a9cdd7b177f77f026b1461abd1abbd174",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/ubi/wl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed\n\nFollowing process will trigger an infinite loop in ubi_wl_put_peb():\n\n\tubifs_bgt\t\tubi_bgt\nubifs_leb_unmap\n ubi_leb_unmap\n ubi_eba_unmap_leb\n ubi_wl_put_peb\twear_leveling_worker\n e1 = rb_entry(rb_first(\u0026ubi-\u003eused)\n\t\t\t e2 = get_peb_for_wl(ubi)\n\t\t\t ubi_io_read_vid_hdr // return err (flash fault)\n\t\t\t out_error:\n\t\t\t ubi-\u003emove_from = ubi-\u003emove_to = NULL\n\t\t\t wl_entry_destroy(ubi, e1)\n\t\t\t ubi-\u003elookuptbl[e-\u003epnum] = NULL\n retry:\n e = ubi-\u003elookuptbl[pnum];\t// return NULL\n\tif (e == ubi-\u003emove_from) {\t// NULL == NULL gets true\n\t goto retry;\t\t\t// infinite loop !!!\n\n$ top\n PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND\n 7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0\n\nFix it by:\n 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has\n been removed from \u0027ubi-\u003elookuptbl\u0027.\n 2) Using \u0027ubi-\u003ewl_lock\u0027 protecting wl entry deletion to preventing an\n use-after-free problem for wl entry in ubi_wl_put_peb().\n\nFetch a reproducer in [Link]."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:49.825Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b40d2fbf47af58377e898b5062077a47bb28a132"
},
{
"url": "https://git.kernel.org/stable/c/f006f596fe851c3b6aae60b79f89f89f0e515d2f"
},
{
"url": "https://git.kernel.org/stable/c/b5be23f6ae610bdb262160a1f294afee6d0e6a69"
},
{
"url": "https://git.kernel.org/stable/c/8a18856e074479bd050b01e688c58defadce7ab0"
},
{
"url": "https://git.kernel.org/stable/c/3afaaf6f5867dc4ad383808d4053f428ec7b867d"
},
{
"url": "https://git.kernel.org/stable/c/cc4bc532acda66189bddc03b3fe1ad689d9a48a2"
},
{
"url": "https://git.kernel.org/stable/c/5af1c643184a5d09ff5b3f334077a4d0a163c677"
},
{
"url": "https://git.kernel.org/stable/c/4d57a7333e26040f2b583983e1970d9d460e56b0"
}
],
"title": "ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53481",
"datePublished": "2025-10-01T11:42:49.825Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:49.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53488 (GCVE-0-2023-53488)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix possible panic during hotplug remove
During hotplug remove it is possible that the update counters work
might be pending, and may run after memory has been freed.
Cancel the update counters work before freeing memory.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e72f33ddfdb69cb21c1b59d31bbd3498d31b14a",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "bfd727ad8411995218f336ead9f2becfde7f3a89",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "c2145b18740c7e697748e4005ce93a5c683c86a8",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "33c677d1e087e437c7dcaad8d73402cf6add282e",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "918c1e6843b7e81d0e5cf7994f41f28dc34c98b0",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "ac6640f4193d0f5b44269a7f08372909f9a18e5c",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "d32a5e9b825d40c08a43dfbcba007159fed41a5d",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "4fdfaef71fced490835145631a795497646f4555",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix possible panic during hotplug remove\n\nDuring hotplug remove it is possible that the update counters work\nmight be pending, and may run after memory has been freed.\nCancel the update counters work before freeing memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:40.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e72f33ddfdb69cb21c1b59d31bbd3498d31b14a"
},
{
"url": "https://git.kernel.org/stable/c/bfd727ad8411995218f336ead9f2becfde7f3a89"
},
{
"url": "https://git.kernel.org/stable/c/c2145b18740c7e697748e4005ce93a5c683c86a8"
},
{
"url": "https://git.kernel.org/stable/c/33c677d1e087e437c7dcaad8d73402cf6add282e"
},
{
"url": "https://git.kernel.org/stable/c/918c1e6843b7e81d0e5cf7994f41f28dc34c98b0"
},
{
"url": "https://git.kernel.org/stable/c/ac6640f4193d0f5b44269a7f08372909f9a18e5c"
},
{
"url": "https://git.kernel.org/stable/c/d32a5e9b825d40c08a43dfbcba007159fed41a5d"
},
{
"url": "https://git.kernel.org/stable/c/4fdfaef71fced490835145631a795497646f4555"
}
],
"title": "IB/hfi1: Fix possible panic during hotplug remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53488",
"datePublished": "2025-10-01T11:45:40.546Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:45:40.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50435 (GCVE-0-2022-50435)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid crash when inline data creation follows DIO write
When inode is created and written to using direct IO, there is nothing
to clear the EXT4_STATE_MAY_INLINE_DATA flag. Thus when inode gets
truncated later to say 1 byte and written using normal write, we will
try to store the data as inline data. This confuses the code later
because the inode now has both normal block and inline data allocated
and the confusion manifests for example as:
kernel BUG at fs/ext4/inode.c:2721!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 359 Comm: repro Not tainted 5.19.0-rc8-00001-g31ba1e3b8305-dirty #15
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
RIP: 0010:ext4_writepages+0x363d/0x3660
RSP: 0018:ffffc90000ccf260 EFLAGS: 00010293
RAX: ffffffff81e1abcd RBX: 0000008000000000 RCX: ffff88810842a180
RDX: 0000000000000000 RSI: 0000008000000000 RDI: 0000000000000000
RBP: ffffc90000ccf650 R08: ffffffff81e17d58 R09: ffffed10222c680b
R10: dfffe910222c680c R11: 1ffff110222c680a R12: ffff888111634128
R13: ffffc90000ccf880 R14: 0000008410000000 R15: 0000000000000001
FS: 00007f72635d2640(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000565243379180 CR3: 000000010aa74000 CR4: 0000000000150eb0
Call Trace:
<TASK>
do_writepages+0x397/0x640
filemap_fdatawrite_wbc+0x151/0x1b0
file_write_and_wait_range+0x1c9/0x2b0
ext4_sync_file+0x19e/0xa00
vfs_fsync_range+0x17b/0x190
ext4_buffered_write_iter+0x488/0x530
ext4_file_write_iter+0x449/0x1b90
vfs_write+0xbcd/0xf40
ksys_write+0x198/0x2c0
__x64_sys_write+0x7b/0x90
do_syscall_64+0x3d/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Fix the problem by clearing EXT4_STATE_MAY_INLINE_DATA when we are doing
direct IO write to a file.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b31cc533665899965e351aae6cc3c3f3b9cc076",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43ed16910af200e2fcfe16986bee1a67fba94992",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59b108630a4987f71e1dc1dc50b8062e992b49c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a22f52d883313bbfaf864669c14003f9456d4f8f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb98cb61efff3b2a1964939465ccaaf906af1d4f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d8e4af8314df54d94cf2a541cf9c8626afe81d41",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89db2b50469bdbccb06ab072096d9d403124abac",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "771f15782d95760cde352c8d4bfd6f2c70719568",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4bb26f2885ac6930984ee451b952c5a6042f2c0e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid crash when inline data creation follows DIO write\n\nWhen inode is created and written to using direct IO, there is nothing\nto clear the EXT4_STATE_MAY_INLINE_DATA flag. Thus when inode gets\ntruncated later to say 1 byte and written using normal write, we will\ntry to store the data as inline data. This confuses the code later\nbecause the inode now has both normal block and inline data allocated\nand the confusion manifests for example as:\n\nkernel BUG at fs/ext4/inode.c:2721!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 359 Comm: repro Not tainted 5.19.0-rc8-00001-g31ba1e3b8305-dirty #15\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014\nRIP: 0010:ext4_writepages+0x363d/0x3660\nRSP: 0018:ffffc90000ccf260 EFLAGS: 00010293\nRAX: ffffffff81e1abcd RBX: 0000008000000000 RCX: ffff88810842a180\nRDX: 0000000000000000 RSI: 0000008000000000 RDI: 0000000000000000\nRBP: ffffc90000ccf650 R08: ffffffff81e17d58 R09: ffffed10222c680b\nR10: dfffe910222c680c R11: 1ffff110222c680a R12: ffff888111634128\nR13: ffffc90000ccf880 R14: 0000008410000000 R15: 0000000000000001\nFS: 00007f72635d2640(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000565243379180 CR3: 000000010aa74000 CR4: 0000000000150eb0\nCall Trace:\n \u003cTASK\u003e\n do_writepages+0x397/0x640\n filemap_fdatawrite_wbc+0x151/0x1b0\n file_write_and_wait_range+0x1c9/0x2b0\n ext4_sync_file+0x19e/0xa00\n vfs_fsync_range+0x17b/0x190\n ext4_buffered_write_iter+0x488/0x530\n ext4_file_write_iter+0x449/0x1b90\n vfs_write+0xbcd/0xf40\n ksys_write+0x198/0x2c0\n __x64_sys_write+0x7b/0x90\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n\nFix the problem by clearing EXT4_STATE_MAY_INLINE_DATA when we are doing\ndirect IO write to a file."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:12.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b31cc533665899965e351aae6cc3c3f3b9cc076"
},
{
"url": "https://git.kernel.org/stable/c/43ed16910af200e2fcfe16986bee1a67fba94992"
},
{
"url": "https://git.kernel.org/stable/c/59b108630a4987f71e1dc1dc50b8062e992b49c6"
},
{
"url": "https://git.kernel.org/stable/c/a22f52d883313bbfaf864669c14003f9456d4f8f"
},
{
"url": "https://git.kernel.org/stable/c/fb98cb61efff3b2a1964939465ccaaf906af1d4f"
},
{
"url": "https://git.kernel.org/stable/c/d8e4af8314df54d94cf2a541cf9c8626afe81d41"
},
{
"url": "https://git.kernel.org/stable/c/89db2b50469bdbccb06ab072096d9d403124abac"
},
{
"url": "https://git.kernel.org/stable/c/771f15782d95760cde352c8d4bfd6f2c70719568"
},
{
"url": "https://git.kernel.org/stable/c/4bb26f2885ac6930984ee451b952c5a6042f2c0e"
}
],
"title": "ext4: avoid crash when inline data creation follows DIO write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50435",
"datePublished": "2025-10-01T11:42:12.845Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:12.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53452 (GCVE-0-2023-53452)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: fix potential race condition between napi_init and napi_enable
A race condition can happen if netdev is registered, but NAPI isn't
initialized yet, and meanwhile user space starts the netdev that will
enable NAPI. Then, it hits BUG_ON():
kernel BUG at net/core/dev.c:6423!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 417 Comm: iwd Not tainted 6.2.7-slab-dirty #3 eb0f5a8a9d91
Hardware name: LENOVO 21DL/LNVNB161216, BIOS JPCN20WW(V1.06) 09/20/2022
RIP: 0010:napi_enable+0x3f/0x50
Code: 48 89 c2 48 83 e2 f6 f6 81 89 08 00 00 02 74 0d 48 83 ...
RSP: 0018:ffffada1414f3548 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffa01425802080 RCX: 0000000000000000
RDX: 00000000000002ff RSI: ffffada14e50c614 RDI: ffffa01425808dc0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000100 R12: ffffa01425808f58
R13: 0000000000000000 R14: ffffa01423498940 R15: 0000000000000001
FS: 00007f5577c0a740(0000) GS:ffffa0169fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5577a19972 CR3: 0000000125a7a000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
rtw89_pci_ops_start+0x1c/0x70 [rtw89_pci 6cbc75429515c181cbc386478d5cfb32ffc5a0f8]
rtw89_core_start+0xbe/0x160 [rtw89_core fe07ecb874820b6d778370d4acb6ef8a37847f22]
rtw89_ops_start+0x26/0x40 [rtw89_core fe07ecb874820b6d778370d4acb6ef8a37847f22]
drv_start+0x42/0x100 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]
ieee80211_do_open+0x311/0x7d0 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]
ieee80211_open+0x6a/0x90 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]
__dev_open+0xe0/0x180
__dev_change_flags+0x1da/0x250
dev_change_flags+0x26/0x70
do_setlink+0x37c/0x12c0
? ep_poll_callback+0x246/0x290
? __nla_validate_parse+0x61/0xd00
? __wake_up_common_lock+0x8f/0xd0
To fix this, follow Jonas' suggestion to switch the order of these
functions and move register netdev to be the last step of PCI probe.
Also, correct the error handling of rtw89_core_register_hw().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c",
"drivers/net/wireless/realtek/rtw89/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39712c8aeb79691bcec8bd6ff658cde1651e0803",
"status": "affected",
"version": "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd",
"versionType": "git"
},
{
"lessThan": "aa48073c2f993e1b0c0bc66b03ae105cac0130bc",
"status": "affected",
"version": "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd",
"versionType": "git"
},
{
"lessThan": "b1b90c7df08ef385f95827ee3aee87bddd1ef5c5",
"status": "affected",
"version": "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd",
"versionType": "git"
},
{
"lessThan": "47515664ecfbde11425dff121f298ae4499425c9",
"status": "affected",
"version": "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c",
"drivers/net/wireless/realtek/rtw89/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix potential race condition between napi_init and napi_enable\n\nA race condition can happen if netdev is registered, but NAPI isn\u0027t\ninitialized yet, and meanwhile user space starts the netdev that will\nenable NAPI. Then, it hits BUG_ON():\n\n kernel BUG at net/core/dev.c:6423!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 417 Comm: iwd Not tainted 6.2.7-slab-dirty #3 eb0f5a8a9d91\n Hardware name: LENOVO 21DL/LNVNB161216, BIOS JPCN20WW(V1.06) 09/20/2022\n RIP: 0010:napi_enable+0x3f/0x50\n Code: 48 89 c2 48 83 e2 f6 f6 81 89 08 00 00 02 74 0d 48 83 ...\n RSP: 0018:ffffada1414f3548 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffa01425802080 RCX: 0000000000000000\n RDX: 00000000000002ff RSI: ffffada14e50c614 RDI: ffffa01425808dc0\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000001 R11: 0000000000000100 R12: ffffa01425808f58\n R13: 0000000000000000 R14: ffffa01423498940 R15: 0000000000000001\n FS: 00007f5577c0a740(0000) GS:ffffa0169fc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5577a19972 CR3: 0000000125a7a000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n rtw89_pci_ops_start+0x1c/0x70 [rtw89_pci 6cbc75429515c181cbc386478d5cfb32ffc5a0f8]\n rtw89_core_start+0xbe/0x160 [rtw89_core fe07ecb874820b6d778370d4acb6ef8a37847f22]\n rtw89_ops_start+0x26/0x40 [rtw89_core fe07ecb874820b6d778370d4acb6ef8a37847f22]\n drv_start+0x42/0x100 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]\n ieee80211_do_open+0x311/0x7d0 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]\n ieee80211_open+0x6a/0x90 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]\n __dev_open+0xe0/0x180\n __dev_change_flags+0x1da/0x250\n dev_change_flags+0x26/0x70\n do_setlink+0x37c/0x12c0\n ? ep_poll_callback+0x246/0x290\n ? __nla_validate_parse+0x61/0xd00\n ? __wake_up_common_lock+0x8f/0xd0\n\nTo fix this, follow Jonas\u0027 suggestion to switch the order of these\nfunctions and move register netdev to be the last step of PCI probe.\nAlso, correct the error handling of rtw89_core_register_hw()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:23.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39712c8aeb79691bcec8bd6ff658cde1651e0803"
},
{
"url": "https://git.kernel.org/stable/c/aa48073c2f993e1b0c0bc66b03ae105cac0130bc"
},
{
"url": "https://git.kernel.org/stable/c/b1b90c7df08ef385f95827ee3aee87bddd1ef5c5"
},
{
"url": "https://git.kernel.org/stable/c/47515664ecfbde11425dff121f298ae4499425c9"
}
],
"title": "wifi: rtw89: fix potential race condition between napi_init and napi_enable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53452",
"datePublished": "2025-10-01T11:42:23.831Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:23.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53465 (GCVE-0-2023-53465)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soundwire: qcom: fix storing port config out-of-bounds
The 'qcom_swrm_ctrl->pconfig' has size of QCOM_SDW_MAX_PORTS (14),
however we index it starting from 1, not 0, to match real port numbers.
This can lead to writing port config past 'pconfig' bounds and
overwriting next member of 'qcom_swrm_ctrl' struct. Reported also by
smatch:
drivers/soundwire/qcom.c:1269 qcom_swrm_get_port_config() error: buffer overflow 'ctrl->pconfig' 14 <= 14
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soundwire/qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20f7c4d51c94abb1a1a7c21900db4fb5afe5c8ff",
"status": "affected",
"version": "9916c02ccd74e672b62dd1a9017ac2f237ebf512",
"versionType": "git"
},
{
"lessThan": "801daff0078087b5df9145c9f5e643c28129734b",
"status": "affected",
"version": "9916c02ccd74e672b62dd1a9017ac2f237ebf512",
"versionType": "git"
},
{
"lessThan": "32eb67d7360d48c15883e0d21b29c0aab9da022e",
"status": "affected",
"version": "9916c02ccd74e672b62dd1a9017ac2f237ebf512",
"versionType": "git"
},
{
"lessThan": "490937d479abe5f6584e69b96df066bc87be92e9",
"status": "affected",
"version": "9916c02ccd74e672b62dd1a9017ac2f237ebf512",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soundwire/qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: qcom: fix storing port config out-of-bounds\n\nThe \u0027qcom_swrm_ctrl-\u003epconfig\u0027 has size of QCOM_SDW_MAX_PORTS (14),\nhowever we index it starting from 1, not 0, to match real port numbers.\nThis can lead to writing port config past \u0027pconfig\u0027 bounds and\noverwriting next member of \u0027qcom_swrm_ctrl\u0027 struct. Reported also by\nsmatch:\n\n drivers/soundwire/qcom.c:1269 qcom_swrm_get_port_config() error: buffer overflow \u0027ctrl-\u003epconfig\u0027 14 \u003c= 14"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:36.007Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20f7c4d51c94abb1a1a7c21900db4fb5afe5c8ff"
},
{
"url": "https://git.kernel.org/stable/c/801daff0078087b5df9145c9f5e643c28129734b"
},
{
"url": "https://git.kernel.org/stable/c/32eb67d7360d48c15883e0d21b29c0aab9da022e"
},
{
"url": "https://git.kernel.org/stable/c/490937d479abe5f6584e69b96df066bc87be92e9"
}
],
"title": "soundwire: qcom: fix storing port config out-of-bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53465",
"datePublished": "2025-10-01T11:42:36.007Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:36.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50423 (GCVE-0-2022-50423)
Vulnerability from cvelistv5
Published
2025-10-01 11:41
Modified
2025-10-01 11:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
There is an use-after-free reported by KASAN:
BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
Read of size 1 at addr ffff888112afc460 by task modprobe/2111
CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
Call Trace:
<TASK>
kasan_report+0xae/0xe0
acpi_ut_remove_reference+0x3b/0x82
acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
acpi_ds_store_object_to_local+0x15d/0x3a0
acpi_ex_store+0x78d/0x7fd
acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
acpi_ps_parse_aml+0x217/0x8d5
...
</TASK>
The root cause of the problem is that the acpi_operand_object
is freed when acpi_ut_walk_package_tree() fails in
acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
acpi_ut_copy_iobject_to_iobject(). The problem was introduced
by "8aa5e56eeb61" commit, this commit is to fix memory leak in
acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
operation, lead to "acpi_operand_object" used after free.
Fix it by removing acpi_ut_remove_reference() in
acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
is called to copy an internal package object into another internal
package object, when it fails, the memory of acpi_operand_object
should be freed by the caller.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: b3e98f0c4f996cd53b80bad71f0d7e4a2cf3a4e8 Version: 7af5504c102a378376101dbd160246b10a814dd0 Version: e29a15484d7ea949e49ae7fb7e576a575da824a6 Version: e2ab6731a36966d042a2d4dabd980496cd680f75 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/utcopy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "133462d35dae95edb944af86b986d4c9dec59bd1",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "02f237423c9c6a18e062de2d474f85d5659e4eb9",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "c9125b643fc51b8e662f2f614096ceb45a0adbc3",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "dfdde4d5138bc023897033a5ac653a84e94805be",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "02617006b5a46f2ea55ac61f5693c7afd7bf9276",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "6fde666278f91b85d71545a0ebbf41d8d7af8074",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "01f2c2052ea50fb9a8ce12e4e83aed0267934ef0",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "470188b09e92d83c5a997f25f0e8fb8cd2bc3469",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"status": "affected",
"version": "b3e98f0c4f996cd53b80bad71f0d7e4a2cf3a4e8",
"versionType": "git"
},
{
"status": "affected",
"version": "7af5504c102a378376101dbd160246b10a814dd0",
"versionType": "git"
},
{
"status": "affected",
"version": "e29a15484d7ea949e49ae7fb7e576a575da824a6",
"versionType": "git"
},
{
"status": "affected",
"version": "e2ab6731a36966d042a2d4dabd980496cd680f75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/utcopy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()\n\nThere is an use-after-free reported by KASAN:\n\n BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82\n Read of size 1 at addr ffff888112afc460 by task modprobe/2111\n CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n Call Trace:\n \u003cTASK\u003e\n kasan_report+0xae/0xe0\n acpi_ut_remove_reference+0x3b/0x82\n acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5\n acpi_ds_store_object_to_local+0x15d/0x3a0\n acpi_ex_store+0x78d/0x7fd\n acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b\n acpi_ps_parse_aml+0x217/0x8d5\n ...\n \u003c/TASK\u003e\n\nThe root cause of the problem is that the acpi_operand_object\nis freed when acpi_ut_walk_package_tree() fails in\nacpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in\nacpi_ut_copy_iobject_to_iobject(). The problem was introduced\nby \"8aa5e56eeb61\" commit, this commit is to fix memory leak in\nacpi_ut_copy_iobject_to_iobject(), repeatedly adding remove\noperation, lead to \"acpi_operand_object\" used after free.\n\nFix it by removing acpi_ut_remove_reference() in\nacpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()\nis called to copy an internal package object into another internal\npackage object, when it fails, the memory of acpi_operand_object\nshould be freed by the caller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:56.083Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/133462d35dae95edb944af86b986d4c9dec59bd1"
},
{
"url": "https://git.kernel.org/stable/c/02f237423c9c6a18e062de2d474f85d5659e4eb9"
},
{
"url": "https://git.kernel.org/stable/c/c9125b643fc51b8e662f2f614096ceb45a0adbc3"
},
{
"url": "https://git.kernel.org/stable/c/dfdde4d5138bc023897033a5ac653a84e94805be"
},
{
"url": "https://git.kernel.org/stable/c/02617006b5a46f2ea55ac61f5693c7afd7bf9276"
},
{
"url": "https://git.kernel.org/stable/c/6fde666278f91b85d71545a0ebbf41d8d7af8074"
},
{
"url": "https://git.kernel.org/stable/c/f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6"
},
{
"url": "https://git.kernel.org/stable/c/01f2c2052ea50fb9a8ce12e4e83aed0267934ef0"
},
{
"url": "https://git.kernel.org/stable/c/470188b09e92d83c5a997f25f0e8fb8cd2bc3469"
}
],
"title": "ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50423",
"datePublished": "2025-10-01T11:41:56.083Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:56.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53524 (GCVE-0-2023-53524)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
An integer overflow occurs in the iwl_write_to_user_buf() function,
which is called by the iwl_dbgfs_monitor_data_read() function.
static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,
void *buf, ssize_t *size,
ssize_t *bytes_copied)
{
int buf_size_left = count - *bytes_copied;
buf_size_left = buf_size_left - (buf_size_left % sizeof(u32));
if (*size > buf_size_left)
*size = buf_size_left;
If the user passes a SIZE_MAX value to the "ssize_t count" parameter,
the ssize_t count parameter is assigned to "int buf_size_left".
Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a
negative number, so "*size" is assigned "buf_size_left" and goes into
the third argument of the copy_to_user function, causing a heap overflow.
This is not a security vulnerability because iwl_dbgfs_monitor_data_read()
is a debugfs operation with 0400 privileges.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/pcie/trans.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ad8dd870aa187d0c21d032bb2c6433559075eec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "059e426d666a41e26b184c177c1ca3ee2d6fa1b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82f877ec9b041edc4c7c509c605cc3393d837bf0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eb1ef44efac797b384d361a76e33f77027c29a14",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de78456976026102babe66258c228691ca5677c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "58d1b717879bfeabe09b35e41ad667c79933eb2e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/pcie/trans.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf\n\nAn integer overflow occurs in the iwl_write_to_user_buf() function,\nwhich is called by the iwl_dbgfs_monitor_data_read() function.\n\nstatic bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,\n\t\t\t\t void *buf, ssize_t *size,\n\t\t\t\t ssize_t *bytes_copied)\n{\n\tint buf_size_left = count - *bytes_copied;\n\n\tbuf_size_left = buf_size_left - (buf_size_left % sizeof(u32));\n\tif (*size \u003e buf_size_left)\n\t\t*size = buf_size_left;\n\nIf the user passes a SIZE_MAX value to the \"ssize_t count\" parameter,\nthe ssize_t count parameter is assigned to \"int buf_size_left\".\nThen compare \"*size\" with \"buf_size_left\" . Here, \"buf_size_left\" is a\nnegative number, so \"*size\" is assigned \"buf_size_left\" and goes into\nthe third argument of the copy_to_user function, causing a heap overflow.\n\nThis is not a security vulnerability because iwl_dbgfs_monitor_data_read()\nis a debugfs operation with 0400 privileges."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:10.397Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ad8dd870aa187d0c21d032bb2c6433559075eec"
},
{
"url": "https://git.kernel.org/stable/c/059e426d666a41e26b184c177c1ca3ee2d6fa1b6"
},
{
"url": "https://git.kernel.org/stable/c/82f877ec9b041edc4c7c509c605cc3393d837bf0"
},
{
"url": "https://git.kernel.org/stable/c/eb1ef44efac797b384d361a76e33f77027c29a14"
},
{
"url": "https://git.kernel.org/stable/c/de78456976026102babe66258c228691ca5677c0"
},
{
"url": "https://git.kernel.org/stable/c/58d1b717879bfeabe09b35e41ad667c79933eb2e"
}
],
"title": "wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53524",
"datePublished": "2025-10-01T11:46:10.397Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:10.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53529 (GCVE-0-2023-53529)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: Fix memory leak in rtw88_usb
Kmemleak shows the following leak arising from routine in the usb
probe routine:
unreferenced object 0xffff895cb29bba00 (size 512):
comm "(udev-worker)", pid 534, jiffies 4294903932 (age 102751.088s)
hex dump (first 32 bytes):
77 30 30 30 00 00 00 00 02 2f 2d 2b 30 00 00 00 w000...../-+0...
02 00 2a 28 00 00 00 00 ff 55 ff ff ff 00 00 00 ..*(.....U......
backtrace:
[<ffffffff9265fa36>] kmalloc_trace+0x26/0x90
[<ffffffffc17eec41>] rtw_usb_probe+0x2f1/0x680 [rtw_usb]
[<ffffffffc03e19fd>] usb_probe_interface+0xdd/0x2e0 [usbcore]
[<ffffffff92b4f2fe>] really_probe+0x18e/0x3d0
[<ffffffff92b4f5b8>] __driver_probe_device+0x78/0x160
[<ffffffff92b4f6bf>] driver_probe_device+0x1f/0x90
[<ffffffff92b4f8df>] __driver_attach+0xbf/0x1b0
[<ffffffff92b4d350>] bus_for_each_dev+0x70/0xc0
[<ffffffff92b4e51e>] bus_add_driver+0x10e/0x210
[<ffffffff92b50935>] driver_register+0x55/0xf0
[<ffffffffc03e0708>] usb_register_driver+0x88/0x140 [usbcore]
[<ffffffff92401153>] do_one_initcall+0x43/0x210
[<ffffffff9254f42a>] do_init_module+0x4a/0x200
[<ffffffff92551d1c>] __do_sys_finit_module+0xac/0x120
[<ffffffff92ee6626>] do_syscall_64+0x56/0x80
[<ffffffff9300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
The leak was verified to be real by unloading the driver, which resulted
in a dangling pointer to the allocation.
The allocated memory is freed in rtw_usb_intf_deinit().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5bba1ad561a8b5bb14704d8f511cf10466336e3d",
"status": "affected",
"version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
"versionType": "git"
},
{
"lessThan": "59a3a312009723e3e5082899655fdcc420e2b47a",
"status": "affected",
"version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: Fix memory leak in rtw88_usb\n\nKmemleak shows the following leak arising from routine in the usb\nprobe routine:\n\nunreferenced object 0xffff895cb29bba00 (size 512):\n comm \"(udev-worker)\", pid 534, jiffies 4294903932 (age 102751.088s)\n hex dump (first 32 bytes):\n 77 30 30 30 00 00 00 00 02 2f 2d 2b 30 00 00 00 w000...../-+0...\n 02 00 2a 28 00 00 00 00 ff 55 ff ff ff 00 00 00 ..*(.....U......\n backtrace:\n [\u003cffffffff9265fa36\u003e] kmalloc_trace+0x26/0x90\n [\u003cffffffffc17eec41\u003e] rtw_usb_probe+0x2f1/0x680 [rtw_usb]\n [\u003cffffffffc03e19fd\u003e] usb_probe_interface+0xdd/0x2e0 [usbcore]\n [\u003cffffffff92b4f2fe\u003e] really_probe+0x18e/0x3d0\n [\u003cffffffff92b4f5b8\u003e] __driver_probe_device+0x78/0x160\n [\u003cffffffff92b4f6bf\u003e] driver_probe_device+0x1f/0x90\n [\u003cffffffff92b4f8df\u003e] __driver_attach+0xbf/0x1b0\n [\u003cffffffff92b4d350\u003e] bus_for_each_dev+0x70/0xc0\n [\u003cffffffff92b4e51e\u003e] bus_add_driver+0x10e/0x210\n [\u003cffffffff92b50935\u003e] driver_register+0x55/0xf0\n [\u003cffffffffc03e0708\u003e] usb_register_driver+0x88/0x140 [usbcore]\n [\u003cffffffff92401153\u003e] do_one_initcall+0x43/0x210\n [\u003cffffffff9254f42a\u003e] do_init_module+0x4a/0x200\n [\u003cffffffff92551d1c\u003e] __do_sys_finit_module+0xac/0x120\n [\u003cffffffff92ee6626\u003e] do_syscall_64+0x56/0x80\n [\u003cffffffff9300006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe leak was verified to be real by unloading the driver, which resulted\nin a dangling pointer to the allocation.\n\nThe allocated memory is freed in rtw_usb_intf_deinit()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:30.330Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5bba1ad561a8b5bb14704d8f511cf10466336e3d"
},
{
"url": "https://git.kernel.org/stable/c/59a3a312009723e3e5082899655fdcc420e2b47a"
}
],
"title": "wifi: rtw88: Fix memory leak in rtw88_usb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53529",
"datePublished": "2025-10-01T11:46:14.358Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-02T07:04:30.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53476 (GCVE-0-2023-53476)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()
This condition needs to match the previous "if (epcp->state == LISTEN) {"
exactly to avoid a NULL dereference of either "listen_ep" or "ep". The
problem is that "epcp" has been re-assigned so just testing
"if (epcp->state == LISTEN) {" a second time is not sufficient.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/cxgb4/restrack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76e0396313c79ecd0df44ee3c18745cfac52b3e6",
"status": "affected",
"version": "116aeb8873712ea559d26b0d9d88147af5c88db5",
"versionType": "git"
},
{
"lessThan": "24278dc380aab6a1aef0a75317f57ad4c2453cf6",
"status": "affected",
"version": "116aeb8873712ea559d26b0d9d88147af5c88db5",
"versionType": "git"
},
{
"lessThan": "dd55240e4364d64befcc575b0d33091881524f42",
"status": "affected",
"version": "116aeb8873712ea559d26b0d9d88147af5c88db5",
"versionType": "git"
},
{
"lessThan": "4ca446b127c568b59cb8d9748b6f70499624bb18",
"status": "affected",
"version": "116aeb8873712ea559d26b0d9d88147af5c88db5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/cxgb4/restrack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()\n\nThis condition needs to match the previous \"if (epcp-\u003estate == LISTEN) {\"\nexactly to avoid a NULL dereference of either \"listen_ep\" or \"ep\". The\nproblem is that \"epcp\" has been re-assigned so just testing\n\"if (epcp-\u003estate == LISTEN) {\" a second time is not sufficient."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:45.499Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76e0396313c79ecd0df44ee3c18745cfac52b3e6"
},
{
"url": "https://git.kernel.org/stable/c/24278dc380aab6a1aef0a75317f57ad4c2453cf6"
},
{
"url": "https://git.kernel.org/stable/c/dd55240e4364d64befcc575b0d33091881524f42"
},
{
"url": "https://git.kernel.org/stable/c/4ca446b127c568b59cb8d9748b6f70499624bb18"
}
],
"title": "iw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53476",
"datePublished": "2025-10-01T11:42:45.499Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:45.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50467 (GCVE-0-2022-50467)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for GFT_ID
An error case exit from lpfc_cmpl_ct_cmd_gft_id() results in a call to
lpfc_nlp_put() with a null pointer to a nodelist structure.
Changed lpfc_cmpl_ct_cmd_gft_id() to initialize nodelist pointer upon
entry.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "04e7cd8c85636a329d1a6e5a269a7c8b6f71c41c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82dc1fe4324e2c897f2ed1c66f4fcff03094ac3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59b7e210a522b836a01516c71ee85d1d92c1f075",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for GFT_ID\n\nAn error case exit from lpfc_cmpl_ct_cmd_gft_id() results in a call to\nlpfc_nlp_put() with a null pointer to a nodelist structure.\n\nChanged lpfc_cmpl_ct_cmd_gft_id() to initialize nodelist pointer upon\nentry."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:38.110Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/04e7cd8c85636a329d1a6e5a269a7c8b6f71c41c"
},
{
"url": "https://git.kernel.org/stable/c/82dc1fe4324e2c897f2ed1c66f4fcff03094ac3a"
},
{
"url": "https://git.kernel.org/stable/c/59b7e210a522b836a01516c71ee85d1d92c1f075"
}
],
"title": "scsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for GFT_ID",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50467",
"datePublished": "2025-10-01T11:45:38.110Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:38.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50426 (GCVE-0-2022-50426)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: imx_dsp_rproc: Add mutex protection for workqueue
The workqueue may execute late even after remoteproc is stopped or
stopping, some resources (rpmsg device and endpoint) have been
released in rproc_stop_subdevices(), then rproc_vq_interrupt()
accessing these resources will cause kennel dump.
Call trace:
virtqueue_add_split+0x1ac/0x560
virtqueue_add_inbuf+0x4c/0x60
rpmsg_recv_done+0x15c/0x294
vring_interrupt+0x6c/0xa4
rproc_vq_interrupt+0x30/0x50
imx_dsp_rproc_vq_work+0x24/0x40 [imx_dsp_rproc]
process_one_work+0x1d0/0x354
worker_thread+0x13c/0x470
kthread+0x154/0x160
ret_from_fork+0x10/0x20
Add mutex protection in imx_dsp_rproc_vq_work(), if the state is
not running, then just skip calling rproc_vq_interrupt().
Also the flush workqueue operation can't be added in rproc stop
for the same reason. The call sequence is
rproc_shutdown
-> rproc_stop
->rproc_stop_subdevices
->rproc->ops->stop()
->imx_dsp_rproc_stop
->flush_work
-> rproc_vq_interrupt
The resource needed by rproc_vq_interrupt has been released in
rproc_stop_subdevices, so flush_work is not safe to be called in
imx_dsp_rproc_stop.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/imx_dsp_rproc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a3e1fa7a77838617bdbcd95127ce93a959fad44",
"status": "affected",
"version": "ec0e5549f3586d2cb99a05edd006d722ebad912c",
"versionType": "git"
},
{
"lessThan": "b9693304b7133b81741add5bfb56f022596df012",
"status": "affected",
"version": "ec0e5549f3586d2cb99a05edd006d722ebad912c",
"versionType": "git"
},
{
"lessThan": "47e6ab07018edebf94ce873cf50a05ec76ff2dde",
"status": "affected",
"version": "ec0e5549f3586d2cb99a05edd006d722ebad912c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/imx_dsp_rproc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_dsp_rproc: Add mutex protection for workqueue\n\nThe workqueue may execute late even after remoteproc is stopped or\nstopping, some resources (rpmsg device and endpoint) have been\nreleased in rproc_stop_subdevices(), then rproc_vq_interrupt()\naccessing these resources will cause kennel dump.\n\nCall trace:\n virtqueue_add_split+0x1ac/0x560\n virtqueue_add_inbuf+0x4c/0x60\n rpmsg_recv_done+0x15c/0x294\n vring_interrupt+0x6c/0xa4\n rproc_vq_interrupt+0x30/0x50\n imx_dsp_rproc_vq_work+0x24/0x40 [imx_dsp_rproc]\n process_one_work+0x1d0/0x354\n worker_thread+0x13c/0x470\n kthread+0x154/0x160\n ret_from_fork+0x10/0x20\n\nAdd mutex protection in imx_dsp_rproc_vq_work(), if the state is\nnot running, then just skip calling rproc_vq_interrupt().\n\nAlso the flush workqueue operation can\u0027t be added in rproc stop\nfor the same reason. The call sequence is\n\nrproc_shutdown\n-\u003e rproc_stop\n -\u003erproc_stop_subdevices\n -\u003erproc-\u003eops-\u003estop()\n -\u003eimx_dsp_rproc_stop\n -\u003eflush_work\n -\u003e rproc_vq_interrupt\n\nThe resource needed by rproc_vq_interrupt has been released in\nrproc_stop_subdevices, so flush_work is not safe to be called in\nimx_dsp_rproc_stop."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:05.613Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a3e1fa7a77838617bdbcd95127ce93a959fad44"
},
{
"url": "https://git.kernel.org/stable/c/b9693304b7133b81741add5bfb56f022596df012"
},
{
"url": "https://git.kernel.org/stable/c/47e6ab07018edebf94ce873cf50a05ec76ff2dde"
}
],
"title": "remoteproc: imx_dsp_rproc: Add mutex protection for workqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50426",
"datePublished": "2025-10-01T11:42:05.613Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:42:05.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53468 (GCVE-0-2023-53468)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix memory leak in alloc_wbufs()
kmemleak reported a sequence of memory leaks, and show them as following:
unreferenced object 0xffff8881575f8400 (size 1024):
comm "mount", pid 19625, jiffies 4297119604 (age 20.383s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8176cecd>] __kmalloc+0x4d/0x150
[<ffffffffa0406b2b>] ubifs_mount+0x307b/0x7170 [ubifs]
[<ffffffff819fa8fd>] legacy_get_tree+0xed/0x1d0
[<ffffffff81936f2d>] vfs_get_tree+0x7d/0x230
[<ffffffff819b2bd4>] path_mount+0xdd4/0x17b0
[<ffffffff819b37aa>] __x64_sys_mount+0x1fa/0x270
[<ffffffff83c14295>] do_syscall_64+0x35/0x80
[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
unreferenced object 0xffff8881798a6e00 (size 512):
comm "mount", pid 19677, jiffies 4297121912 (age 37.816s)
hex dump (first 32 bytes):
6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
backtrace:
[<ffffffff8176cecd>] __kmalloc+0x4d/0x150
[<ffffffffa0418342>] ubifs_wbuf_init+0x52/0x480 [ubifs]
[<ffffffffa0406ca5>] ubifs_mount+0x31f5/0x7170 [ubifs]
[<ffffffff819fa8fd>] legacy_get_tree+0xed/0x1d0
[<ffffffff81936f2d>] vfs_get_tree+0x7d/0x230
[<ffffffff819b2bd4>] path_mount+0xdd4/0x17b0
[<ffffffff819b37aa>] __x64_sys_mount+0x1fa/0x270
[<ffffffff83c14295>] do_syscall_64+0x35/0x80
[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
The problem is that the ubifs_wbuf_init() returns an error in the
loop which in the alloc_wbufs(), then the wbuf->buf and wbuf->inodes
that were successfully alloced before are not freed.
Fix it by adding error hanging path in alloc_wbufs() which frees
the memory alloced before when ubifs_wbuf_init() returns an error.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f206002c6bc302bface871ef3f72c0bbcaa931c",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "bf50229494f0443b3f08427d7df63e5a7e2a796a",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "3e29634eb56e6547272fe4e568f63421f8b3b9fa",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "26ec45f1c504e15268383019df139d7983f1e67f",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "e11f36d3bc4d23f620754a948fe7b82b63dcb185",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "4a1ff3c5d04b9079b4f768d9a71b51c4af578dd2",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memory leak in alloc_wbufs()\n\nkmemleak reported a sequence of memory leaks, and show them as following:\n\n unreferenced object 0xffff8881575f8400 (size 1024):\n comm \"mount\", pid 19625, jiffies 4297119604 (age 20.383s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff8176cecd\u003e] __kmalloc+0x4d/0x150\n [\u003cffffffffa0406b2b\u003e] ubifs_mount+0x307b/0x7170 [ubifs]\n [\u003cffffffff819fa8fd\u003e] legacy_get_tree+0xed/0x1d0\n [\u003cffffffff81936f2d\u003e] vfs_get_tree+0x7d/0x230\n [\u003cffffffff819b2bd4\u003e] path_mount+0xdd4/0x17b0\n [\u003cffffffff819b37aa\u003e] __x64_sys_mount+0x1fa/0x270\n [\u003cffffffff83c14295\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff83e0006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n unreferenced object 0xffff8881798a6e00 (size 512):\n comm \"mount\", pid 19677, jiffies 4297121912 (age 37.816s)\n hex dump (first 32 bytes):\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n backtrace:\n [\u003cffffffff8176cecd\u003e] __kmalloc+0x4d/0x150\n [\u003cffffffffa0418342\u003e] ubifs_wbuf_init+0x52/0x480 [ubifs]\n [\u003cffffffffa0406ca5\u003e] ubifs_mount+0x31f5/0x7170 [ubifs]\n [\u003cffffffff819fa8fd\u003e] legacy_get_tree+0xed/0x1d0\n [\u003cffffffff81936f2d\u003e] vfs_get_tree+0x7d/0x230\n [\u003cffffffff819b2bd4\u003e] path_mount+0xdd4/0x17b0\n [\u003cffffffff819b37aa\u003e] __x64_sys_mount+0x1fa/0x270\n [\u003cffffffff83c14295\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff83e0006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe problem is that the ubifs_wbuf_init() returns an error in the\nloop which in the alloc_wbufs(), then the wbuf-\u003ebuf and wbuf-\u003einodes\nthat were successfully alloced before are not freed.\n\nFix it by adding error hanging path in alloc_wbufs() which frees\nthe memory alloced before when ubifs_wbuf_init() returns an error."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:38.673Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f206002c6bc302bface871ef3f72c0bbcaa931c"
},
{
"url": "https://git.kernel.org/stable/c/bf50229494f0443b3f08427d7df63e5a7e2a796a"
},
{
"url": "https://git.kernel.org/stable/c/3e29634eb56e6547272fe4e568f63421f8b3b9fa"
},
{
"url": "https://git.kernel.org/stable/c/26ec45f1c504e15268383019df139d7983f1e67f"
},
{
"url": "https://git.kernel.org/stable/c/e11f36d3bc4d23f620754a948fe7b82b63dcb185"
},
{
"url": "https://git.kernel.org/stable/c/4a1ff3c5d04b9079b4f768d9a71b51c4af578dd2"
}
],
"title": "ubifs: Fix memory leak in alloc_wbufs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53468",
"datePublished": "2025-10-01T11:42:38.673Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:38.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50432 (GCVE-0-2022-50432)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernfs: fix use-after-free in __kernfs_remove
Syzkaller managed to trigger concurrent calls to
kernfs_remove_by_name_ns() for the same file resulting in
a KASAN detected use-after-free. The race occurs when the root
node is freed during kernfs_drain().
To prevent this acquire an additional reference for the root
of the tree that is removed before calling __kernfs_remove().
Found by syzkaller with the following reproducer (slab_nomerge is
required):
syz_mount_image$ext4(0x0, &(0x7f0000000100)='./file0\x00', 0x100000, 0x0, 0x0, 0x0, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0)
close(r0)
pipe2(&(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x800)
mount$9p_fd(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f00000000c0), 0x408, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@fsmagic={'fsmagic', 0x3d, 0x10001}}, {@dont_hash}]}})
Sample report:
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]
BUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369
Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857
CPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433
kasan_report+0xa3/0x130 mm/kasan/report.c:495
kernfs_type include/linux/kernfs.h:335 [inline]
kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]
__kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369
__kernfs_remove fs/kernfs/dir.c:1356 [inline]
kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589
sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943
__kmem_cache_create+0x3e0/0x550 mm/slub.c:4899
create_cache mm/slab_common.c:229 [inline]
kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335
p9_client_create+0xd4d/0x1190 net/9p/client.c:993
v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408
v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126
legacy_get_tree+0xf1/0x200 fs/fs_context.c:610
vfs_get_tree+0x85/0x2e0 fs/super.c:1530
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x675/0x1d00 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x282/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f725f983aed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000
R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000
</TASK>
Allocated by task 855:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:7
---truncated---
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/kernfs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4dfd6a477a1525773469feaf3c514b2c0fef76b5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02eb35131050735332658029082f61515b7dfe38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "028cf780743eea79abffa7206b9dcfc080ad3546",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c78b0dc6fb7fb389d674e491fd376388cdfb1d53",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6f72a3977ba9d0e5491a5c01315204272e7f9c44",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "94d2643df1e70a4c310ebb5e2c493eec33df1a06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af1b57cc39beca203559576b3046094fc9e5eb32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4abc99652812a2ddf932f137515d5c5a04723538",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/kernfs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: fix use-after-free in __kernfs_remove\n\nSyzkaller managed to trigger concurrent calls to\nkernfs_remove_by_name_ns() for the same file resulting in\na KASAN detected use-after-free. The race occurs when the root\nnode is freed during kernfs_drain().\n\nTo prevent this acquire an additional reference for the root\nof the tree that is removed before calling __kernfs_remove().\n\nFound by syzkaller with the following reproducer (slab_nomerge is\nrequired):\n\nsyz_mount_image$ext4(0x0, \u0026(0x7f0000000100)=\u0027./file0\\x00\u0027, 0x100000, 0x0, 0x0, 0x0, 0x0)\nr0 = openat(0xffffffffffffff9c, \u0026(0x7f0000000080)=\u0027/proc/self/exe\\x00\u0027, 0x0, 0x0)\nclose(r0)\npipe2(\u0026(0x7f0000000140)={0xffffffffffffffff, \u003cr1=\u003e0xffffffffffffffff}, 0x800)\nmount$9p_fd(0x0, \u0026(0x7f0000000040)=\u0027./file0\\x00\u0027, \u0026(0x7f00000000c0), 0x408, \u0026(0x7f0000000280)={\u0027trans=fd,\u0027, {\u0027rfdno\u0027, 0x3d, r0}, 0x2c, {\u0027wfdno\u0027, 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={\u0027mask\u0027, 0x3d, \u0027^MAY_EXEC\u0027}}, {@fsmagic={\u0027fsmagic\u0027, 0x3d, 0x10001}}, {@dont_hash}]}})\n\nSample report:\n\n==================================================================\nBUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]\nBUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]\nBUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369\nRead of size 2 at addr ffff8880088807f0 by task syz-executor.2/857\n\nCPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433\n kasan_report+0xa3/0x130 mm/kasan/report.c:495\n kernfs_type include/linux/kernfs.h:335 [inline]\n kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]\n __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369\n __kernfs_remove fs/kernfs/dir.c:1356 [inline]\n kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589\n sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943\n __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335\n p9_client_create+0xd4d/0x1190 net/9p/client.c:993\n v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408\n v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126\n legacy_get_tree+0xf1/0x200 fs/fs_context.c:610\n vfs_get_tree+0x85/0x2e0 fs/super.c:1530\n do_new_mount fs/namespace.c:3040 [inline]\n path_mount+0x675/0x1d00 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x282/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f725f983aed\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5\nRAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed\nRDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000\nRBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000\nR10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000\n \u003c/TASK\u003e\n\nAllocated by task 855:\n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:45 [inline]\n set_alloc_info mm/kasan/common.c:437 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470\n kasan_slab_alloc include/linux/kasan.h:224 [inline]\n slab_post_alloc_hook mm/slab.h:7\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:10.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4dfd6a477a1525773469feaf3c514b2c0fef76b5"
},
{
"url": "https://git.kernel.org/stable/c/02eb35131050735332658029082f61515b7dfe38"
},
{
"url": "https://git.kernel.org/stable/c/028cf780743eea79abffa7206b9dcfc080ad3546"
},
{
"url": "https://git.kernel.org/stable/c/c78b0dc6fb7fb389d674e491fd376388cdfb1d53"
},
{
"url": "https://git.kernel.org/stable/c/6f72a3977ba9d0e5491a5c01315204272e7f9c44"
},
{
"url": "https://git.kernel.org/stable/c/94d2643df1e70a4c310ebb5e2c493eec33df1a06"
},
{
"url": "https://git.kernel.org/stable/c/af1b57cc39beca203559576b3046094fc9e5eb32"
},
{
"url": "https://git.kernel.org/stable/c/4abc99652812a2ddf932f137515d5c5a04723538"
}
],
"title": "kernfs: fix use-after-free in __kernfs_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50432",
"datePublished": "2025-10-01T11:42:10.573Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:10.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53498 (GCVE-0-2023-53498)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix potential null dereference
The adev->dm.dc pointer can be NULL and dereferenced in amdgpu_dm_fini()
without checking.
Add a NULL pointer check before calling dc_dmub_srv_destroy().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 9a71c7d31734f74549ad2bcd652c403c71e7c8d1 Version: 9a71c7d31734f74549ad2bcd652c403c71e7c8d1 Version: 9a71c7d31734f74549ad2bcd652c403c71e7c8d1 Version: 9a71c7d31734f74549ad2bcd652c403c71e7c8d1 Version: 9a71c7d31734f74549ad2bcd652c403c71e7c8d1 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b1afffdd94093118b3cc235ef2b4d2520fb4950",
"status": "affected",
"version": "9a71c7d31734f74549ad2bcd652c403c71e7c8d1",
"versionType": "git"
},
{
"lessThan": "b75aaebac265e3f29863699d9a929fdfba13d0a4",
"status": "affected",
"version": "9a71c7d31734f74549ad2bcd652c403c71e7c8d1",
"versionType": "git"
},
{
"lessThan": "281933f36a53fed1c2993a92cf1edfb424595474",
"status": "affected",
"version": "9a71c7d31734f74549ad2bcd652c403c71e7c8d1",
"versionType": "git"
},
{
"lessThan": "d4b749771fed3f99bbe8880eaab32a05ede0e5fa",
"status": "affected",
"version": "9a71c7d31734f74549ad2bcd652c403c71e7c8d1",
"versionType": "git"
},
{
"lessThan": "52f1783ff4146344342422c1cd94fcb4ce39b6fe",
"status": "affected",
"version": "9a71c7d31734f74549ad2bcd652c403c71e7c8d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null dereference\n\nThe adev-\u003edm.dc pointer can be NULL and dereferenced in amdgpu_dm_fini()\nwithout checking.\n\nAdd a NULL pointer check before calling dc_dmub_srv_destroy().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:49.549Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b1afffdd94093118b3cc235ef2b4d2520fb4950"
},
{
"url": "https://git.kernel.org/stable/c/b75aaebac265e3f29863699d9a929fdfba13d0a4"
},
{
"url": "https://git.kernel.org/stable/c/281933f36a53fed1c2993a92cf1edfb424595474"
},
{
"url": "https://git.kernel.org/stable/c/d4b749771fed3f99bbe8880eaab32a05ede0e5fa"
},
{
"url": "https://git.kernel.org/stable/c/52f1783ff4146344342422c1cd94fcb4ce39b6fe"
}
],
"title": "drm/amd/display: Fix potential null dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53498",
"datePublished": "2025-10-01T11:45:49.549Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:49.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50441 (GCVE-0-2022-50441)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Lag, fix failure to cancel delayed bond work
Commit 0d4e8ed139d8 ("net/mlx5: Lag, avoid lockdep warnings")
accidentally removed a call to cancel delayed bond work thus it may
cause queued delay to expire and fall on an already destroyed work
queue.
Fix by restoring the call cancel_delayed_work_sync() before
destroying the workqueue.
This prevents call trace such as this:
[ 329.230417] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 329.231444] #PF: supervisor write access in kernel mode
[ 329.232233] #PF: error_code(0x0002) - not-present page
[ 329.233007] PGD 0 P4D 0
[ 329.233476] Oops: 0002 [#1] SMP
[ 329.234012] CPU: 5 PID: 145 Comm: kworker/u20:4 Tainted: G OE 6.0.0-rc5_mlnx #1
[ 329.235282] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 329.236868] Workqueue: mlx5_cmd_0000:08:00.1 cmd_work_handler [mlx5_core]
[ 329.237886] RIP: 0010:_raw_spin_lock+0xc/0x20
[ 329.238585] Code: f0 0f b1 17 75 02 f3 c3 89 c6 e9 6f 3c 5f ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 02 f3 c3 89 c6 e9 45 3c 5f ff 0f 1f 44 00 00 0f 1f
[ 329.241156] RSP: 0018:ffffc900001b0e98 EFLAGS: 00010046
[ 329.241940] RAX: 0000000000000000 RBX: ffffffff82374ae0 RCX: 0000000000000000
[ 329.242954] RDX: 0000000000000001 RSI: 0000000000000014 RDI: 0000000000000000
[ 329.243974] RBP: ffff888106ccf000 R08: ffff8881004000c8 R09: ffff888100400000
[ 329.244990] R10: 0000000000000000 R11: ffffffff826669f8 R12: 0000000000002000
[ 329.246009] R13: 0000000000000005 R14: ffff888100aa7ce0 R15: ffff88852ca80000
[ 329.247030] FS: 0000000000000000(0000) GS:ffff88852ca80000(0000) knlGS:0000000000000000
[ 329.248260] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 329.249111] CR2: 0000000000000000 CR3: 000000016d675001 CR4: 0000000000770ee0
[ 329.250133] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 329.251152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 329.252176] PKRU: 55555554
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5df57bb04e91add52fb67e226209df9a17f06a89",
"status": "affected",
"version": "ff24a802204620214afa75a5e64280f40015e399",
"versionType": "git"
},
{
"lessThan": "8f1b8b3133504bf9125ee507ddcc3a8fb41a41f0",
"status": "affected",
"version": "0d4e8ed139d871fcb2844dd71075997753baeec8",
"versionType": "git"
},
{
"lessThan": "4d1c1379d71777ddeda3e54f8fc26e9ecbfd1009",
"status": "affected",
"version": "0d4e8ed139d871fcb2844dd71075997753baeec8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "6.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Lag, fix failure to cancel delayed bond work\n\nCommit 0d4e8ed139d8 (\"net/mlx5: Lag, avoid lockdep warnings\")\naccidentally removed a call to cancel delayed bond work thus it may\ncause queued delay to expire and fall on an already destroyed work\nqueue.\n\nFix by restoring the call cancel_delayed_work_sync() before\ndestroying the workqueue.\n\nThis prevents call trace such as this:\n\n[ 329.230417] BUG: kernel NULL pointer dereference, address: 0000000000000000\n [ 329.231444] #PF: supervisor write access in kernel mode\n [ 329.232233] #PF: error_code(0x0002) - not-present page\n [ 329.233007] PGD 0 P4D 0\n [ 329.233476] Oops: 0002 [#1] SMP\n [ 329.234012] CPU: 5 PID: 145 Comm: kworker/u20:4 Tainted: G OE 6.0.0-rc5_mlnx #1\n [ 329.235282] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [ 329.236868] Workqueue: mlx5_cmd_0000:08:00.1 cmd_work_handler [mlx5_core]\n [ 329.237886] RIP: 0010:_raw_spin_lock+0xc/0x20\n [ 329.238585] Code: f0 0f b1 17 75 02 f3 c3 89 c6 e9 6f 3c 5f ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 31 c0 ba 01 00 00 00 \u003cf0\u003e 0f b1 17 75 02 f3 c3 89 c6 e9 45 3c 5f ff 0f 1f 44 00 00 0f 1f\n [ 329.241156] RSP: 0018:ffffc900001b0e98 EFLAGS: 00010046\n [ 329.241940] RAX: 0000000000000000 RBX: ffffffff82374ae0 RCX: 0000000000000000\n [ 329.242954] RDX: 0000000000000001 RSI: 0000000000000014 RDI: 0000000000000000\n [ 329.243974] RBP: ffff888106ccf000 R08: ffff8881004000c8 R09: ffff888100400000\n [ 329.244990] R10: 0000000000000000 R11: ffffffff826669f8 R12: 0000000000002000\n [ 329.246009] R13: 0000000000000005 R14: ffff888100aa7ce0 R15: ffff88852ca80000\n [ 329.247030] FS: 0000000000000000(0000) GS:ffff88852ca80000(0000) knlGS:0000000000000000\n [ 329.248260] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 329.249111] CR2: 0000000000000000 CR3: 000000016d675001 CR4: 0000000000770ee0\n [ 329.250133] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 329.251152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [ 329.252176] PKRU: 55555554"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:17.313Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5df57bb04e91add52fb67e226209df9a17f06a89"
},
{
"url": "https://git.kernel.org/stable/c/8f1b8b3133504bf9125ee507ddcc3a8fb41a41f0"
},
{
"url": "https://git.kernel.org/stable/c/4d1c1379d71777ddeda3e54f8fc26e9ecbfd1009"
}
],
"title": "net/mlx5: Lag, fix failure to cancel delayed bond work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50441",
"datePublished": "2025-10-01T11:42:17.313Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:17.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53489 (GCVE-0-2023-53489)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY
skbs. We can reproduce the problem with these sequences:
sk = socket(AF_INET, SOCK_DGRAM, 0)
sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE)
sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1)
sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53))
sk.close()
sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets
skb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct
ubuf_info_msgzc indirectly holds a refcnt of the socket. When the
skb is sent, __skb_tstamp_tx() clones it and puts the clone into
the socket's error queue with the TX timestamp.
When the original skb is received locally, skb_copy_ubufs() calls
skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt.
This additional count is decremented while freeing the skb, but struct
ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is
not called.
The last refcnt is not released unless we retrieve the TX timestamped
skb by recvmsg(). Since we clear the error queue in inet_sock_destruct()
after the socket's refcnt reaches 0, there is a circular dependency.
If we close() the socket holding such skbs, we never call sock_put()
and leak the count, sk, and skb.
TCP has the same problem, and commit e0c8bccd40fc ("net: stream:
purge sk_error_queue in sk_stream_kill_queues()") tried to fix it
by calling skb_queue_purge() during close(). However, there is a
small chance that skb queued in a qdisc or device could be put
into the error queue after the skb_queue_purge() call.
In __skb_tstamp_tx(), the cloned skb should not have a reference
to the ubuf to remove the circular dependency, but skb_clone() does
not call skb_copy_ubufs() for zerocopy skb. So, we need to call
skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs().
[0]:
BUG: memory leak
unreferenced object 0xffff88800c6d2d00 (size 1152):
comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................
02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
backtrace:
[<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024
[<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083
[<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline]
[<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245
[<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515
[<00000000b9b11231>] sock_create net/socket.c:1566 [inline]
[<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline]
[<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline]
[<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636
[<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline]
[<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline]
[<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647
[<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
[<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff888017633a00 (size 240):
comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m.....
backtrace:
[<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497
[<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline]
[<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596
[<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline]
[<00000000be626478>]
---truncated---
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: f214f915e7db99091f1312c48b30928c1e0c90b7 Version: f214f915e7db99091f1312c48b30928c1e0c90b7 Version: f214f915e7db99091f1312c48b30928c1e0c90b7 Version: f214f915e7db99091f1312c48b30928c1e0c90b7 Version: f214f915e7db99091f1312c48b30928c1e0c90b7 Version: f214f915e7db99091f1312c48b30928c1e0c90b7 Version: f214f915e7db99091f1312c48b30928c1e0c90b7 Version: f214f915e7db99091f1312c48b30928c1e0c90b7 Version: f214f915e7db99091f1312c48b30928c1e0c90b7 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "281072fb2a7294cde7acbf5375b879f40a8001b7",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "1f69c086b20e27763af28145981435423f088268",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "602fa8af44fd55a58f9e94eb673e8adad2c6cc46",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "230a5ed7d813fb516de81d23f09d7506753e41e9",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "cb52e7f24c1d01a536a847dff0d1d95889cc3b5c",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "30290f210ba7426ff7592fe2eb4114b1b5bad219",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "426384dd4980040651536fef5feac4dcc4d7ee4e",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "50749f2dd6854a41830996ad302aef2ffaf011d8",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.\n\nsyzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY\nskbs. We can reproduce the problem with these sequences:\n\n sk = socket(AF_INET, SOCK_DGRAM, 0)\n sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE)\n sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1)\n sk.sendto(b\u0027\u0027, MSG_ZEROCOPY, (\u0027127.0.0.1\u0027, 53))\n sk.close()\n\nsendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets\nskb-\u003ecb-\u003eubuf.refcnt to 1, and calls sock_hold(). Here, struct\nubuf_info_msgzc indirectly holds a refcnt of the socket. When the\nskb is sent, __skb_tstamp_tx() clones it and puts the clone into\nthe socket\u0027s error queue with the TX timestamp.\n\nWhen the original skb is received locally, skb_copy_ubufs() calls\nskb_unclone(), and pskb_expand_head() increments skb-\u003ecb-\u003eubuf.refcnt.\nThis additional count is decremented while freeing the skb, but struct\nubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is\nnot called.\n\nThe last refcnt is not released unless we retrieve the TX timestamped\nskb by recvmsg(). Since we clear the error queue in inet_sock_destruct()\nafter the socket\u0027s refcnt reaches 0, there is a circular dependency.\nIf we close() the socket holding such skbs, we never call sock_put()\nand leak the count, sk, and skb.\n\nTCP has the same problem, and commit e0c8bccd40fc (\"net: stream:\npurge sk_error_queue in sk_stream_kill_queues()\") tried to fix it\nby calling skb_queue_purge() during close(). However, there is a\nsmall chance that skb queued in a qdisc or device could be put\ninto the error queue after the skb_queue_purge() call.\n\nIn __skb_tstamp_tx(), the cloned skb should not have a reference\nto the ubuf to remove the circular dependency, but skb_clone() does\nnot call skb_copy_ubufs() for zerocopy skb. So, we need to call\nskb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff88800c6d2d00 (size 1152):\n comm \"syz-executor392\", pid 264, jiffies 4294785440 (age 13.044s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................\n 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [\u003c0000000055636812\u003e] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024\n [\u003c0000000054d77b7a\u003e] sk_alloc+0x3b/0x800 net/core/sock.c:2083\n [\u003c0000000066f3c7e0\u003e] inet_create net/ipv4/af_inet.c:319 [inline]\n [\u003c0000000066f3c7e0\u003e] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245\n [\u003c000000009b83af97\u003e] __sock_create+0x2ab/0x550 net/socket.c:1515\n [\u003c00000000b9b11231\u003e] sock_create net/socket.c:1566 [inline]\n [\u003c00000000b9b11231\u003e] __sys_socket_create net/socket.c:1603 [inline]\n [\u003c00000000b9b11231\u003e] __sys_socket_create net/socket.c:1588 [inline]\n [\u003c00000000b9b11231\u003e] __sys_socket+0x138/0x250 net/socket.c:1636\n [\u003c000000004fb45142\u003e] __do_sys_socket net/socket.c:1649 [inline]\n [\u003c000000004fb45142\u003e] __se_sys_socket net/socket.c:1647 [inline]\n [\u003c000000004fb45142\u003e] __x64_sys_socket+0x73/0xb0 net/socket.c:1647\n [\u003c0000000066999e0e\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [\u003c0000000066999e0e\u003e] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80\n [\u003c0000000017f238c1\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nBUG: memory leak\nunreferenced object 0xffff888017633a00 (size 240):\n comm \"syz-executor392\", pid 264, jiffies 4294785440 (age 13.044s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m.....\n backtrace:\n [\u003c000000002b1c4368\u003e] __alloc_skb+0x229/0x320 net/core/skbuff.c:497\n [\u003c00000000143579a6\u003e] alloc_skb include/linux/skbuff.h:1265 [inline]\n [\u003c00000000143579a6\u003e] sock_omalloc+0xaa/0x190 net/core/sock.c:2596\n [\u003c00000000be626478\u003e] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline]\n [\u003c00000000be626478\u003e]\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:41.304Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/281072fb2a7294cde7acbf5375b879f40a8001b7"
},
{
"url": "https://git.kernel.org/stable/c/1f69c086b20e27763af28145981435423f088268"
},
{
"url": "https://git.kernel.org/stable/c/602fa8af44fd55a58f9e94eb673e8adad2c6cc46"
},
{
"url": "https://git.kernel.org/stable/c/230a5ed7d813fb516de81d23f09d7506753e41e9"
},
{
"url": "https://git.kernel.org/stable/c/43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a"
},
{
"url": "https://git.kernel.org/stable/c/cb52e7f24c1d01a536a847dff0d1d95889cc3b5c"
},
{
"url": "https://git.kernel.org/stable/c/30290f210ba7426ff7592fe2eb4114b1b5bad219"
},
{
"url": "https://git.kernel.org/stable/c/426384dd4980040651536fef5feac4dcc4d7ee4e"
},
{
"url": "https://git.kernel.org/stable/c/50749f2dd6854a41830996ad302aef2ffaf011d8"
}
],
"title": "tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53489",
"datePublished": "2025-10-01T11:45:41.304Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:41.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53521 (GCVE-0-2023-53521)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
A fix for:
BUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses]
Read of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013
When edev->components is zero, accessing edev->component[0] members is
wrong.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76f7050537476ac062ec23a544fbca8270f2d08b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "87e47be38d205df338c52ead43f23b2864567423",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40af9a6deed723485e05b7d3255a28750692e8db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8f9542cad6c27297c8391de3a659f0b7948495d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0595cdb587726b4f0fa780eb7462e3679d141e82",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82143faf01dda831b89eccef60c39ef8575ab08a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2fb1fa8425cce2dc4dce298275d22d7077694b73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "578797f0c8cbc2e3ec5fc0dab87087b4c7073686",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix slab-out-of-bounds in ses_intf_remove()\n\nA fix for:\n\nBUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses]\nRead of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013\n\nWhen edev-\u003ecomponents is zero, accessing edev-\u003ecomponent[0] members is\nwrong."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:08.131Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76f7050537476ac062ec23a544fbca8270f2d08b"
},
{
"url": "https://git.kernel.org/stable/c/87e47be38d205df338c52ead43f23b2864567423"
},
{
"url": "https://git.kernel.org/stable/c/40af9a6deed723485e05b7d3255a28750692e8db"
},
{
"url": "https://git.kernel.org/stable/c/8f9542cad6c27297c8391de3a659f0b7948495d0"
},
{
"url": "https://git.kernel.org/stable/c/0595cdb587726b4f0fa780eb7462e3679d141e82"
},
{
"url": "https://git.kernel.org/stable/c/82143faf01dda831b89eccef60c39ef8575ab08a"
},
{
"url": "https://git.kernel.org/stable/c/2fb1fa8425cce2dc4dce298275d22d7077694b73"
},
{
"url": "https://git.kernel.org/stable/c/578797f0c8cbc2e3ec5fc0dab87087b4c7073686"
}
],
"title": "scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53521",
"datePublished": "2025-10-01T11:46:08.131Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:08.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53525 (GCVE-0-2023-53525)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cma: Allow UD qp_type to join multicast only
As for multicast:
- The SIDR is the only mode that makes sense;
- Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is
UD compatible. In this case qkey also needs to be set [1].
This patch allows only UD qp_type to join multicast, and set qkey to
default if it's not set, to fix an uninit-value error: the ib->rec.qkey
field is accessed without being initialized.
=====================================================
BUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]
BUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570
cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]
cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570
cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline]
rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814
ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479
ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546
ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732
vfs_write+0x8ce/0x2030 fs/read_write.c:588
ksys_write+0x28c/0x520 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__ia32_sys_write+0xdb/0x120 fs/read_write.c:652
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Local variable ib.i created at:
cma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline]
rdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814
ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479
CPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
[1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: b5de0c60cc30c2a3513c7188c73f3f29acc29234 Version: b5de0c60cc30c2a3513c7188c73f3f29acc29234 Version: b5de0c60cc30c2a3513c7188c73f3f29acc29234 Version: b5de0c60cc30c2a3513c7188c73f3f29acc29234 Version: b5de0c60cc30c2a3513c7188c73f3f29acc29234 Version: b8d1adbff983be0b54f61c9a4169609d7fab0620 Version: feed39c8d1282279fcb30612aa0e8d2635c11280 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae11498851423d6de27aebfe12a5ee85060ab1d5",
"status": "affected",
"version": "b5de0c60cc30c2a3513c7188c73f3f29acc29234",
"versionType": "git"
},
{
"lessThan": "48e8e7851dc0b1584d83817a78fc7108c8904b54",
"status": "affected",
"version": "b5de0c60cc30c2a3513c7188c73f3f29acc29234",
"versionType": "git"
},
{
"lessThan": "02eabb635bc64bd1e3a7cf887d6d182bffb64b99",
"status": "affected",
"version": "b5de0c60cc30c2a3513c7188c73f3f29acc29234",
"versionType": "git"
},
{
"lessThan": "bb18b9dbac2bbdf7695e0bfaac4bf944ff7b207d",
"status": "affected",
"version": "b5de0c60cc30c2a3513c7188c73f3f29acc29234",
"versionType": "git"
},
{
"lessThan": "58e84f6b3e84e46524b7e5a916b53c1ad798bc8f",
"status": "affected",
"version": "b5de0c60cc30c2a3513c7188c73f3f29acc29234",
"versionType": "git"
},
{
"status": "affected",
"version": "b8d1adbff983be0b54f61c9a4169609d7fab0620",
"versionType": "git"
},
{
"status": "affected",
"version": "feed39c8d1282279fcb30612aa0e8d2635c11280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Allow UD qp_type to join multicast only\n\nAs for multicast:\n- The SIDR is the only mode that makes sense;\n- Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is\n UD compatible. In this case qkey also needs to be set [1].\n\nThis patch allows only UD qp_type to join multicast, and set qkey to\ndefault if it\u0027s not set, to fix an uninit-value error: the ib-\u003erec.qkey\nfield is accessed without being initialized.\n\n=====================================================\nBUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]\nBUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570\n cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]\n cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570\n cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline]\n rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814\n ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479\n ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546\n ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732\n vfs_write+0x8ce/0x2030 fs/read_write.c:588\n ksys_write+0x28c/0x520 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __ia32_sys_write+0xdb/0x120 fs/read_write.c:652\n do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]\n __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180\n do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205\n do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nLocal variable ib.i created at:\ncma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline]\nrdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814\nucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479\n\nCPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n=====================================================\n\n[1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:11.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae11498851423d6de27aebfe12a5ee85060ab1d5"
},
{
"url": "https://git.kernel.org/stable/c/48e8e7851dc0b1584d83817a78fc7108c8904b54"
},
{
"url": "https://git.kernel.org/stable/c/02eabb635bc64bd1e3a7cf887d6d182bffb64b99"
},
{
"url": "https://git.kernel.org/stable/c/bb18b9dbac2bbdf7695e0bfaac4bf944ff7b207d"
},
{
"url": "https://git.kernel.org/stable/c/58e84f6b3e84e46524b7e5a916b53c1ad798bc8f"
}
],
"title": "RDMA/cma: Allow UD qp_type to join multicast only",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53525",
"datePublished": "2025-10-01T11:46:11.188Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:11.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53467 (GCVE-0-2023-53467)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: fix potential leak in rtw89_append_probe_req_ie()
Do `kfree_skb(new)` before `goto out` to prevent potential leak.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e336d6bab68973084a18c1e4bd78cd0bbbdcacd",
"status": "affected",
"version": "895907779752606f6a4795abfc008509f8e38314",
"versionType": "git"
},
{
"lessThan": "a10b6d73123bd480751d916575835abb615072fd",
"status": "affected",
"version": "895907779752606f6a4795abfc008509f8e38314",
"versionType": "git"
},
{
"lessThan": "4a0e218cc9c42d1903ade8b5a371dcf48cf918c5",
"status": "affected",
"version": "895907779752606f6a4795abfc008509f8e38314",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix potential leak in rtw89_append_probe_req_ie()\n\nDo `kfree_skb(new)` before `goto out` to prevent potential leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:37.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e336d6bab68973084a18c1e4bd78cd0bbbdcacd"
},
{
"url": "https://git.kernel.org/stable/c/a10b6d73123bd480751d916575835abb615072fd"
},
{
"url": "https://git.kernel.org/stable/c/4a0e218cc9c42d1903ade8b5a371dcf48cf918c5"
}
],
"title": "wifi: rtw89: fix potential leak in rtw89_append_probe_req_ie()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53467",
"datePublished": "2025-10-01T11:42:37.757Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:37.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50445 (GCVE-0-2022-50445)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Reinject transport-mode packets through workqueue
The following warning is displayed when the tcp6-multi-diffip11 stress
test case of the LTP test suite is tested:
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [ns-tcpserver:48198]
CPU: 0 PID: 48198 Comm: ns-tcpserver Kdump: loaded Not tainted 6.0.0-rc6+ #39
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : des3_ede_encrypt+0x27c/0x460 [libdes]
lr : 0x3f
sp : ffff80000ceaa1b0
x29: ffff80000ceaa1b0 x28: ffff0000df056100 x27: ffff0000e51e5280
x26: ffff80004df75030 x25: ffff0000e51e4600 x24: 000000000000003b
x23: 0000000000802080 x22: 000000000000003d x21: 0000000000000038
x20: 0000000080000020 x19: 000000000000000a x18: 0000000000000033
x17: ffff0000e51e4780 x16: ffff80004e2d1448 x15: ffff80004e2d1248
x14: ffff0000e51e4680 x13: ffff80004e2d1348 x12: ffff80004e2d1548
x11: ffff80004e2d1848 x10: ffff80004e2d1648 x9 : ffff80004e2d1748
x8 : ffff80004e2d1948 x7 : 000000000bcaf83d x6 : 000000000000001b
x5 : ffff80004e2d1048 x4 : 00000000761bf3bf x3 : 000000007f1dd0a3
x2 : ffff0000e51e4780 x1 : ffff0000e3b9a2f8 x0 : 00000000db44e872
Call trace:
des3_ede_encrypt+0x27c/0x460 [libdes]
crypto_des3_ede_encrypt+0x1c/0x30 [des_generic]
crypto_cbc_encrypt+0x148/0x190
crypto_skcipher_encrypt+0x2c/0x40
crypto_authenc_encrypt+0xc8/0xfc [authenc]
crypto_aead_encrypt+0x2c/0x40
echainiv_encrypt+0x144/0x1a0 [echainiv]
crypto_aead_encrypt+0x2c/0x40
esp6_output_tail+0x1c8/0x5d0 [esp6]
esp6_output+0x120/0x278 [esp6]
xfrm_output_one+0x458/0x4ec
xfrm_output_resume+0x6c/0x1f0
xfrm_output+0xac/0x4ac
__xfrm6_output+0x130/0x270
xfrm6_output+0x60/0xec
ip6_xmit+0x2ec/0x5bc
inet6_csk_xmit+0xbc/0x10c
__tcp_transmit_skb+0x460/0x8c0
tcp_write_xmit+0x348/0x890
__tcp_push_pending_frames+0x44/0x110
tcp_rcv_established+0x3c8/0x720
tcp_v6_do_rcv+0xdc/0x4a0
tcp_v6_rcv+0xc24/0xcb0
ip6_protocol_deliver_rcu+0xf0/0x574
ip6_input_finish+0x48/0x7c
ip6_input+0x48/0xc0
ip6_rcv_finish+0x80/0x9c
xfrm_trans_reinject+0xb0/0xf4
tasklet_action_common.constprop.0+0xf8/0x134
tasklet_action+0x30/0x3c
__do_softirq+0x128/0x368
do_softirq+0xb4/0xc0
__local_bh_enable_ip+0xb0/0xb4
put_cpu_fpsimd_context+0x40/0x70
kernel_neon_end+0x20/0x40
sha1_base_do_update.constprop.0.isra.0+0x11c/0x140 [sha1_ce]
sha1_ce_finup+0x94/0x110 [sha1_ce]
crypto_shash_finup+0x34/0xc0
hmac_finup+0x48/0xe0
crypto_shash_finup+0x34/0xc0
shash_digest_unaligned+0x74/0x90
crypto_shash_digest+0x4c/0x9c
shash_ahash_digest+0xc8/0xf0
shash_async_digest+0x28/0x34
crypto_ahash_digest+0x48/0xcc
crypto_authenc_genicv+0x88/0xcc [authenc]
crypto_authenc_encrypt+0xd8/0xfc [authenc]
crypto_aead_encrypt+0x2c/0x40
echainiv_encrypt+0x144/0x1a0 [echainiv]
crypto_aead_encrypt+0x2c/0x40
esp6_output_tail+0x1c8/0x5d0 [esp6]
esp6_output+0x120/0x278 [esp6]
xfrm_output_one+0x458/0x4ec
xfrm_output_resume+0x6c/0x1f0
xfrm_output+0xac/0x4ac
__xfrm6_output+0x130/0x270
xfrm6_output+0x60/0xec
ip6_xmit+0x2ec/0x5bc
inet6_csk_xmit+0xbc/0x10c
__tcp_transmit_skb+0x460/0x8c0
tcp_write_xmit+0x348/0x890
__tcp_push_pending_frames+0x44/0x110
tcp_push+0xb4/0x14c
tcp_sendmsg_locked+0x71c/0xb64
tcp_sendmsg+0x40/0x6c
inet6_sendmsg+0x4c/0x80
sock_sendmsg+0x5c/0x6c
__sys_sendto+0x128/0x15c
__arm64_sys_sendto+0x30/0x40
invoke_syscall+0x50/0x120
el0_svc_common.constprop.0+0x170/0x194
do_el0_svc+0x38/0x4c
el0_svc+0x28/0xe0
el0t_64_sync_handler+0xbc/0x13c
el0t_64_sync+0x180/0x184
Get softirq info by bcc tool:
./softirqs -NT 10
Tracing soft irq event time... Hit Ctrl-C to end.
15:34:34
SOFTIRQ TOTAL_nsecs
block 158990
timer 20030920
sched 46577080
net_rx 676746820
tasklet 9906067650
15:34:45
SOFTIRQ TOTAL_nsecs
block 86100
sched 38849790
net_rx
---truncated---
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: acf568ee859f098279eadf551612f103afdacb4e Version: acf568ee859f098279eadf551612f103afdacb4e Version: acf568ee859f098279eadf551612f103afdacb4e Version: acf568ee859f098279eadf551612f103afdacb4e Version: 69895c5ea0ca2e8d7de1e6d36965d0ab9730787f Version: 833760100588acfb267dac4d6a02ab9931237739 Version: e095ecaec6d94aa2156cceb98a85d409b51190f3 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d98b26684cb2390729525b341ea099f0badbe18",
"status": "affected",
"version": "acf568ee859f098279eadf551612f103afdacb4e",
"versionType": "git"
},
{
"lessThan": "f520075da484306bbb8425afd2c42404ba74816f",
"status": "affected",
"version": "acf568ee859f098279eadf551612f103afdacb4e",
"versionType": "git"
},
{
"lessThan": "130d9e5017ade1b81d16783563edb38c12a2eab7",
"status": "affected",
"version": "acf568ee859f098279eadf551612f103afdacb4e",
"versionType": "git"
},
{
"lessThan": "4f4920669d21e1060b7243e5118dc3b71ced1276",
"status": "affected",
"version": "acf568ee859f098279eadf551612f103afdacb4e",
"versionType": "git"
},
{
"status": "affected",
"version": "69895c5ea0ca2e8d7de1e6d36965d0ab9730787f",
"versionType": "git"
},
{
"status": "affected",
"version": "833760100588acfb267dac4d6a02ab9931237739",
"versionType": "git"
},
{
"status": "affected",
"version": "e095ecaec6d94aa2156cceb98a85d409b51190f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Reinject transport-mode packets through workqueue\n\nThe following warning is displayed when the tcp6-multi-diffip11 stress\ntest case of the LTP test suite is tested:\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 22s! [ns-tcpserver:48198]\nCPU: 0 PID: 48198 Comm: ns-tcpserver Kdump: loaded Not tainted 6.0.0-rc6+ #39\nHardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : des3_ede_encrypt+0x27c/0x460 [libdes]\nlr : 0x3f\nsp : ffff80000ceaa1b0\nx29: ffff80000ceaa1b0 x28: ffff0000df056100 x27: ffff0000e51e5280\nx26: ffff80004df75030 x25: ffff0000e51e4600 x24: 000000000000003b\nx23: 0000000000802080 x22: 000000000000003d x21: 0000000000000038\nx20: 0000000080000020 x19: 000000000000000a x18: 0000000000000033\nx17: ffff0000e51e4780 x16: ffff80004e2d1448 x15: ffff80004e2d1248\nx14: ffff0000e51e4680 x13: ffff80004e2d1348 x12: ffff80004e2d1548\nx11: ffff80004e2d1848 x10: ffff80004e2d1648 x9 : ffff80004e2d1748\nx8 : ffff80004e2d1948 x7 : 000000000bcaf83d x6 : 000000000000001b\nx5 : ffff80004e2d1048 x4 : 00000000761bf3bf x3 : 000000007f1dd0a3\nx2 : ffff0000e51e4780 x1 : ffff0000e3b9a2f8 x0 : 00000000db44e872\nCall trace:\n des3_ede_encrypt+0x27c/0x460 [libdes]\n crypto_des3_ede_encrypt+0x1c/0x30 [des_generic]\n crypto_cbc_encrypt+0x148/0x190\n crypto_skcipher_encrypt+0x2c/0x40\n crypto_authenc_encrypt+0xc8/0xfc [authenc]\n crypto_aead_encrypt+0x2c/0x40\n echainiv_encrypt+0x144/0x1a0 [echainiv]\n crypto_aead_encrypt+0x2c/0x40\n esp6_output_tail+0x1c8/0x5d0 [esp6]\n esp6_output+0x120/0x278 [esp6]\n xfrm_output_one+0x458/0x4ec\n xfrm_output_resume+0x6c/0x1f0\n xfrm_output+0xac/0x4ac\n __xfrm6_output+0x130/0x270\n xfrm6_output+0x60/0xec\n ip6_xmit+0x2ec/0x5bc\n inet6_csk_xmit+0xbc/0x10c\n __tcp_transmit_skb+0x460/0x8c0\n tcp_write_xmit+0x348/0x890\n __tcp_push_pending_frames+0x44/0x110\n tcp_rcv_established+0x3c8/0x720\n tcp_v6_do_rcv+0xdc/0x4a0\n tcp_v6_rcv+0xc24/0xcb0\n ip6_protocol_deliver_rcu+0xf0/0x574\n ip6_input_finish+0x48/0x7c\n ip6_input+0x48/0xc0\n ip6_rcv_finish+0x80/0x9c\n xfrm_trans_reinject+0xb0/0xf4\n tasklet_action_common.constprop.0+0xf8/0x134\n tasklet_action+0x30/0x3c\n __do_softirq+0x128/0x368\n do_softirq+0xb4/0xc0\n __local_bh_enable_ip+0xb0/0xb4\n put_cpu_fpsimd_context+0x40/0x70\n kernel_neon_end+0x20/0x40\n sha1_base_do_update.constprop.0.isra.0+0x11c/0x140 [sha1_ce]\n sha1_ce_finup+0x94/0x110 [sha1_ce]\n crypto_shash_finup+0x34/0xc0\n hmac_finup+0x48/0xe0\n crypto_shash_finup+0x34/0xc0\n shash_digest_unaligned+0x74/0x90\n crypto_shash_digest+0x4c/0x9c\n shash_ahash_digest+0xc8/0xf0\n shash_async_digest+0x28/0x34\n crypto_ahash_digest+0x48/0xcc\n crypto_authenc_genicv+0x88/0xcc [authenc]\n crypto_authenc_encrypt+0xd8/0xfc [authenc]\n crypto_aead_encrypt+0x2c/0x40\n echainiv_encrypt+0x144/0x1a0 [echainiv]\n crypto_aead_encrypt+0x2c/0x40\n esp6_output_tail+0x1c8/0x5d0 [esp6]\n esp6_output+0x120/0x278 [esp6]\n xfrm_output_one+0x458/0x4ec\n xfrm_output_resume+0x6c/0x1f0\n xfrm_output+0xac/0x4ac\n __xfrm6_output+0x130/0x270\n xfrm6_output+0x60/0xec\n ip6_xmit+0x2ec/0x5bc\n inet6_csk_xmit+0xbc/0x10c\n __tcp_transmit_skb+0x460/0x8c0\n tcp_write_xmit+0x348/0x890\n __tcp_push_pending_frames+0x44/0x110\n tcp_push+0xb4/0x14c\n tcp_sendmsg_locked+0x71c/0xb64\n tcp_sendmsg+0x40/0x6c\n inet6_sendmsg+0x4c/0x80\n sock_sendmsg+0x5c/0x6c\n __sys_sendto+0x128/0x15c\n __arm64_sys_sendto+0x30/0x40\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0x170/0x194\n do_el0_svc+0x38/0x4c\n el0_svc+0x28/0xe0\n el0t_64_sync_handler+0xbc/0x13c\n el0t_64_sync+0x180/0x184\n\nGet softirq info by bcc tool:\n./softirqs -NT 10\nTracing soft irq event time... Hit Ctrl-C to end.\n\n15:34:34\nSOFTIRQ TOTAL_nsecs\nblock 158990\ntimer 20030920\nsched 46577080\nnet_rx 676746820\ntasklet 9906067650\n\n15:34:45\nSOFTIRQ TOTAL_nsecs\nblock 86100\nsched 38849790\nnet_rx \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:19.954Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d98b26684cb2390729525b341ea099f0badbe18"
},
{
"url": "https://git.kernel.org/stable/c/f520075da484306bbb8425afd2c42404ba74816f"
},
{
"url": "https://git.kernel.org/stable/c/130d9e5017ade1b81d16783563edb38c12a2eab7"
},
{
"url": "https://git.kernel.org/stable/c/4f4920669d21e1060b7243e5118dc3b71ced1276"
}
],
"title": "xfrm: Reinject transport-mode packets through workqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50445",
"datePublished": "2025-10-01T11:45:19.954Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:45:19.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53456 (GCVE-0-2023-53456)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla4xxx: Add length check when parsing nlattrs
There are three places that qla4xxx parses nlattrs:
- qla4xxx_set_chap_entry()
- qla4xxx_iface_set_param()
- qla4xxx_sysfs_ddb_set_param()
and each of them directly converts the nlattr to specific pointer of
structure without length checking. This could be dangerous as those
attributes are not validated and a malformed nlattr (e.g., length 0) could
result in an OOB read that leaks heap dirty data.
Add the nla_len check before accessing the nlattr data and return EINVAL if
the length check fails.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla4xxx/ql4_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cfa6a1a79ed6d336fac7a5d87eb5471e4401829f",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "5925e224cc6edfef57b20447f18323208461309b",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "47f3be62eab50b8cd7e1ae5fc2c4dae687497c34",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "6d65079c69dc1feb817ed71f5bd15e83a7d6832d",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "f61fc650c47849637fa1771a31a11674c824138a",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "25feffb3fbd51ae81d92c65cebc0e932663828b3",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "4ed21975311247bb84e82298eeb359ec0a0fa84d",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "b018c0440b871d8b001c996e95fa4538bd292de6",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "47cd3770e31df942e2bb925a9a855c79ed0662eb",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla4xxx/ql4_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla4xxx: Add length check when parsing nlattrs\n\nThere are three places that qla4xxx parses nlattrs:\n\n - qla4xxx_set_chap_entry()\n\n - qla4xxx_iface_set_param()\n\n - qla4xxx_sysfs_ddb_set_param()\n\nand each of them directly converts the nlattr to specific pointer of\nstructure without length checking. This could be dangerous as those\nattributes are not validated and a malformed nlattr (e.g., length 0) could\nresult in an OOB read that leaks heap dirty data.\n\nAdd the nla_len check before accessing the nlattr data and return EINVAL if\nthe length check fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:27.821Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfa6a1a79ed6d336fac7a5d87eb5471e4401829f"
},
{
"url": "https://git.kernel.org/stable/c/5925e224cc6edfef57b20447f18323208461309b"
},
{
"url": "https://git.kernel.org/stable/c/47f3be62eab50b8cd7e1ae5fc2c4dae687497c34"
},
{
"url": "https://git.kernel.org/stable/c/6d65079c69dc1feb817ed71f5bd15e83a7d6832d"
},
{
"url": "https://git.kernel.org/stable/c/f61fc650c47849637fa1771a31a11674c824138a"
},
{
"url": "https://git.kernel.org/stable/c/25feffb3fbd51ae81d92c65cebc0e932663828b3"
},
{
"url": "https://git.kernel.org/stable/c/4ed21975311247bb84e82298eeb359ec0a0fa84d"
},
{
"url": "https://git.kernel.org/stable/c/b018c0440b871d8b001c996e95fa4538bd292de6"
},
{
"url": "https://git.kernel.org/stable/c/47cd3770e31df942e2bb925a9a855c79ed0662eb"
}
],
"title": "scsi: qla4xxx: Add length check when parsing nlattrs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53456",
"datePublished": "2025-10-01T11:42:27.821Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:27.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50446 (GCVE-0-2022-50446)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARC: mm: fix leakage of memory allocated for PTE
Since commit d9820ff ("ARC: mm: switch pgtable_t back to struct page *")
a memory leakage problem occurs. Memory allocated for page table entries
not released during process termination. This issue can be reproduced by
a small program that allocates a large amount of memory. After several
runs, you'll see that the amount of free memory has reduced and will
continue to reduce after each run. All ARC CPUs are effected by this
issue. The issue was introduced since the kernel stable release v5.15-rc1.
As described in commit d9820ff after switch pgtable_t back to struct
page *, a pointer to "struct page" and appropriate functions are used to
allocate and free a memory page for PTEs, but the pmd_pgtable macro hasn't
changed and returns the direct virtual address from the PMD (PGD) entry.
Than this address used as a parameter in the __pte_free() and as a result
this function couldn't release memory page allocated for PTEs.
Fix this issue by changing the pmd_pgtable macro and returning pointer to
struct page.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arc/include/asm/pgtable-levels.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14009ada5712649589ab4ad0441b811780ea8773",
"status": "affected",
"version": "d9820ff76f95fa26d33e412254a89cd65b23142d",
"versionType": "git"
},
{
"lessThan": "d83a69966e8b6ae9dd447f3ac704c0223bceb7f7",
"status": "affected",
"version": "d9820ff76f95fa26d33e412254a89cd65b23142d",
"versionType": "git"
},
{
"lessThan": "4fd9df10cb7a9289fbd22d669f9f98164d95a1ce",
"status": "affected",
"version": "d9820ff76f95fa26d33e412254a89cd65b23142d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arc/include/asm/pgtable-levels.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARC: mm: fix leakage of memory allocated for PTE\n\nSince commit d9820ff (\"ARC: mm: switch pgtable_t back to struct page *\")\na memory leakage problem occurs. Memory allocated for page table entries\nnot released during process termination. This issue can be reproduced by\na small program that allocates a large amount of memory. After several\nruns, you\u0027ll see that the amount of free memory has reduced and will\ncontinue to reduce after each run. All ARC CPUs are effected by this\nissue. The issue was introduced since the kernel stable release v5.15-rc1.\n\nAs described in commit d9820ff after switch pgtable_t back to struct\npage *, a pointer to \"struct page\" and appropriate functions are used to\nallocate and free a memory page for PTEs, but the pmd_pgtable macro hasn\u0027t\nchanged and returns the direct virtual address from the PMD (PGD) entry.\nThan this address used as a parameter in the __pte_free() and as a result\nthis function couldn\u0027t release memory page allocated for PTEs.\n\nFix this issue by changing the pmd_pgtable macro and returning pointer to\nstruct page."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:20.854Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14009ada5712649589ab4ad0441b811780ea8773"
},
{
"url": "https://git.kernel.org/stable/c/d83a69966e8b6ae9dd447f3ac704c0223bceb7f7"
},
{
"url": "https://git.kernel.org/stable/c/4fd9df10cb7a9289fbd22d669f9f98164d95a1ce"
}
],
"title": "ARC: mm: fix leakage of memory allocated for PTE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50446",
"datePublished": "2025-10-01T11:45:20.854Z",
"dateReserved": "2025-09-17T14:53:07.011Z",
"dateUpdated": "2025-10-01T11:45:20.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53463 (GCVE-0-2023-53463)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Do not reset dql stats on NON_FATAL err
All ibmvnic resets, make a call to netdev_tx_reset_queue() when
re-opening the device. netdev_tx_reset_queue() resets the num_queued
and num_completed byte counters. These stats are used in Byte Queue
Limit (BQL) algorithms. The difference between these two stats tracks
the number of bytes currently sitting on the physical NIC. ibmvnic
increases the number of queued bytes though calls to
netdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports
that it is done transmitting bytes, the ibmvnic device increases the
number of completed bytes through calls to netdev_tx_completed_queue().
It is important to note that the driver batches its transmit calls and
num_queued is increased every time that an skb is added to the next
batch, not necessarily when the batch is sent to VIOS for transmission.
Unlike other reset types, a NON FATAL reset will not flush the sub crq
tx buffers. Therefore, it is possible for the batched skb array to be
partially full. So if there is call to netdev_tx_reset_queue() when
re-opening the device, the value of num_queued (0) would not account
for the skb's that are currently batched. Eventually, when the batch
is sent to VIOS, the call to netdev_tx_completed_queue() would increase
num_completed to a value greater than the num_queued. This causes a
BUG_ON crash:
ibmvnic 30000002: Firmware reports error, cause: adapter problem.
Starting recovery...
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
------------[ cut here ]------------
kernel BUG at lib/dynamic_queue_limits.c:27!
Oops: Exception in kernel mode, sig: 5
[....]
NIP dql_completed+0x28/0x1c0
LR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]
Call Trace:
ibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)
ibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]
__handle_irq_event_percpu+0x98/0x270
---[ end trace ]---
Therefore, do not reset the dql stats when performing a NON_FATAL reset.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8aedf29db1280c83191fc9579ae605791faf97f",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "f67ef8f9f6776e2b2073cad7c5cf29de850f83d7",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "91a0632e73070928aafeb36b3cc676843c716931",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "48538ccb825b05544ec308a509e2cc9c013402db",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Do not reset dql stats on NON_FATAL err\n\nAll ibmvnic resets, make a call to netdev_tx_reset_queue() when\nre-opening the device. netdev_tx_reset_queue() resets the num_queued\nand num_completed byte counters. These stats are used in Byte Queue\nLimit (BQL) algorithms. The difference between these two stats tracks\nthe number of bytes currently sitting on the physical NIC. ibmvnic\nincreases the number of queued bytes though calls to\nnetdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports\nthat it is done transmitting bytes, the ibmvnic device increases the\nnumber of completed bytes through calls to netdev_tx_completed_queue().\nIt is important to note that the driver batches its transmit calls and\nnum_queued is increased every time that an skb is added to the next\nbatch, not necessarily when the batch is sent to VIOS for transmission.\n\nUnlike other reset types, a NON FATAL reset will not flush the sub crq\ntx buffers. Therefore, it is possible for the batched skb array to be\npartially full. So if there is call to netdev_tx_reset_queue() when\nre-opening the device, the value of num_queued (0) would not account\nfor the skb\u0027s that are currently batched. Eventually, when the batch\nis sent to VIOS, the call to netdev_tx_completed_queue() would increase\nnum_completed to a value greater than the num_queued. This causes a\nBUG_ON crash:\n\nibmvnic 30000002: Firmware reports error, cause: adapter problem.\nStarting recovery...\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\n------------[ cut here ]------------\nkernel BUG at lib/dynamic_queue_limits.c:27!\nOops: Exception in kernel mode, sig: 5\n[....]\nNIP dql_completed+0x28/0x1c0\nLR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]\nCall Trace:\nibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)\nibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]\n__handle_irq_event_percpu+0x98/0x270\n---[ end trace ]---\n\nTherefore, do not reset the dql stats when performing a NON_FATAL reset."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:34.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8aedf29db1280c83191fc9579ae605791faf97f"
},
{
"url": "https://git.kernel.org/stable/c/f67ef8f9f6776e2b2073cad7c5cf29de850f83d7"
},
{
"url": "https://git.kernel.org/stable/c/91a0632e73070928aafeb36b3cc676843c716931"
},
{
"url": "https://git.kernel.org/stable/c/48538ccb825b05544ec308a509e2cc9c013402db"
}
],
"title": "ibmvnic: Do not reset dql stats on NON_FATAL err",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53463",
"datePublished": "2025-10-01T11:42:34.308Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:34.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53491 (GCVE-0-2023-53491)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
start_kernel: Add __no_stack_protector function attribute
Back during the discussion of
commit a9a3ed1eff36 ("x86: Fix early boot crash on gcc-10, third try")
we discussed the need for a function attribute to control the omission
of stack protectors on a per-function basis; at the time Clang had
support for no_stack_protector but GCC did not. This was fixed in
gcc-11. Now that the function attribute is available, let's start using
it.
Callers of boot_init_stack_canary need to use this function attribute
unless they're compiled with -fno-stack-protector, otherwise the canary
stored in the stack slot of the caller will differ upon the call to
boot_init_stack_canary. This will lead to a call to __stack_chk_fail()
then panic.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/smp.c",
"include/linux/compiler_attributes.h",
"init/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25e73018b4093e0cfbcec5dc4a4bb86d0b69ed56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "514ca14ed5444b911de59ed3381dfd195d99fe4b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/smp.c",
"include/linux/compiler_attributes.h",
"init/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstart_kernel: Add __no_stack_protector function attribute\n\nBack during the discussion of\ncommit a9a3ed1eff36 (\"x86: Fix early boot crash on gcc-10, third try\")\nwe discussed the need for a function attribute to control the omission\nof stack protectors on a per-function basis; at the time Clang had\nsupport for no_stack_protector but GCC did not. This was fixed in\ngcc-11. Now that the function attribute is available, let\u0027s start using\nit.\n\nCallers of boot_init_stack_canary need to use this function attribute\nunless they\u0027re compiled with -fno-stack-protector, otherwise the canary\nstored in the stack slot of the caller will differ upon the call to\nboot_init_stack_canary. This will lead to a call to __stack_chk_fail()\nthen panic."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:43.101Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25e73018b4093e0cfbcec5dc4a4bb86d0b69ed56"
},
{
"url": "https://git.kernel.org/stable/c/514ca14ed5444b911de59ed3381dfd195d99fe4b"
}
],
"title": "start_kernel: Add __no_stack_protector function attribute",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53491",
"datePublished": "2025-10-01T11:45:43.101Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:43.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53526 (GCVE-0-2023-53526)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: check 'jh->b_transaction' before removing it from checkpoint
Following process will corrupt ext4 image:
Step 1:
jbd2_journal_commit_transaction
__jbd2_journal_insert_checkpoint(jh, commit_transaction)
// Put jh into trans1->t_checkpoint_list
journal->j_checkpoint_transactions = commit_transaction
// Put trans1 into journal->j_checkpoint_transactions
Step 2:
do_get_write_access
test_clear_buffer_dirty(bh) // clear buffer dirty,set jbd dirty
__jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2
Step 3:
drop_cache
journal_shrink_one_cp_list
jbd2_journal_try_remove_checkpoint
if (!trylock_buffer(bh)) // lock bh, true
if (buffer_dirty(bh)) // buffer is not dirty
__jbd2_journal_remove_checkpoint(jh)
// remove jh from trans1->t_checkpoint_list
Step 4:
jbd2_log_do_checkpoint
trans1 = journal->j_checkpoint_transactions
// jh is not in trans1->t_checkpoint_list
jbd2_cleanup_journal_tail(journal) // trans1 is done
Step 5: Power cut, trans2 is not committed, jh is lost in next mounting.
Fix it by checking 'jh->b_transaction' before remove it from checkpoint.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: b832174b7f89df3ebab02f5b485d00127a0e1a6e Version: e5c768d809a85e9efd0274b2efe69d4970cc0014 Version: 46f881b5b1758dc4a35fba4a643c10717d0cf427 Version: 46f881b5b1758dc4a35fba4a643c10717d0cf427 Version: 019b59aeb2af6b47d5c8e69c5dc1d731c8df0354 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/checkpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef5fea70e5915afd64182d155e72bfb4f275e1fc",
"status": "affected",
"version": "b832174b7f89df3ebab02f5b485d00127a0e1a6e",
"versionType": "git"
},
{
"lessThan": "dbafe636db415299e54d9dfefc1003bda9e71c9d",
"status": "affected",
"version": "e5c768d809a85e9efd0274b2efe69d4970cc0014",
"versionType": "git"
},
{
"lessThan": "2298f2589903a8bc03061b54b31fd97985ab6529",
"status": "affected",
"version": "46f881b5b1758dc4a35fba4a643c10717d0cf427",
"versionType": "git"
},
{
"lessThan": "590a809ff743e7bd890ba5fb36bc38e20a36de53",
"status": "affected",
"version": "46f881b5b1758dc4a35fba4a643c10717d0cf427",
"versionType": "git"
},
{
"status": "affected",
"version": "019b59aeb2af6b47d5c8e69c5dc1d731c8df0354",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/checkpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "6.1.50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: check \u0027jh-\u003eb_transaction\u0027 before removing it from checkpoint\n\nFollowing process will corrupt ext4 image:\nStep 1:\njbd2_journal_commit_transaction\n __jbd2_journal_insert_checkpoint(jh, commit_transaction)\n // Put jh into trans1-\u003et_checkpoint_list\n journal-\u003ej_checkpoint_transactions = commit_transaction\n // Put trans1 into journal-\u003ej_checkpoint_transactions\n\nStep 2:\ndo_get_write_access\n test_clear_buffer_dirty(bh) // clear buffer dirty\uff0cset jbd dirty\n __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2\n\nStep 3:\ndrop_cache\n journal_shrink_one_cp_list\n jbd2_journal_try_remove_checkpoint\n if (!trylock_buffer(bh)) // lock bh, true\n if (buffer_dirty(bh)) // buffer is not dirty\n __jbd2_journal_remove_checkpoint(jh)\n // remove jh from trans1-\u003et_checkpoint_list\n\nStep 4:\njbd2_log_do_checkpoint\n trans1 = journal-\u003ej_checkpoint_transactions\n // jh is not in trans1-\u003et_checkpoint_list\n jbd2_cleanup_journal_tail(journal) // trans1 is done\n\nStep 5: Power cut, trans2 is not committed, jh is lost in next mounting.\n\nFix it by checking \u0027jh-\u003eb_transaction\u0027 before remove it from checkpoint."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:11.862Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef5fea70e5915afd64182d155e72bfb4f275e1fc"
},
{
"url": "https://git.kernel.org/stable/c/dbafe636db415299e54d9dfefc1003bda9e71c9d"
},
{
"url": "https://git.kernel.org/stable/c/2298f2589903a8bc03061b54b31fd97985ab6529"
},
{
"url": "https://git.kernel.org/stable/c/590a809ff743e7bd890ba5fb36bc38e20a36de53"
}
],
"title": "jbd2: check \u0027jh-\u003eb_transaction\u0027 before removing it from checkpoint",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53526",
"datePublished": "2025-10-01T11:46:11.862Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:11.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50424 (GCVE-0-2022-50424)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()
Fixed coverity issue with resource leaks at variable "fw" going out of
scope leaks the storage it points to mt7921_check_offload_capability().
Addresses-Coverity-ID: 1527806 ("Resource leaks")
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ead3cffd7510dc635d84cd4ea9dd1974fcb69a35",
"status": "affected",
"version": "034ae28b56f13dc1f2beb3fa294b455f57ede9cb",
"versionType": "git"
},
{
"lessThan": "47180ecf4541146836c5307c1d5526f8ac6a5a6d",
"status": "affected",
"version": "034ae28b56f13dc1f2beb3fa294b455f57ede9cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()\n\nFixed coverity issue with resource leaks at variable \"fw\" going out of\nscope leaks the storage it points to mt7921_check_offload_capability().\n\nAddresses-Coverity-ID: 1527806 (\"Resource leaks\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:03.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ead3cffd7510dc635d84cd4ea9dd1974fcb69a35"
},
{
"url": "https://git.kernel.org/stable/c/47180ecf4541146836c5307c1d5526f8ac6a5a6d"
}
],
"title": "wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50424",
"datePublished": "2025-10-01T11:42:03.912Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:42:03.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50431 (GCVE-0-2022-50431)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()
dev_set_name() in soundbus_add_one() allocates memory for name, it need be
freed when of_device_register() fails, call soundbus_dev_put() to give up
the reference that hold in device_initialize(), so that it can be freed in
kobject_cleanup() when the refcount hit to 0. And other resources are also
freed in i2sbus_release_dev(), so it can return 0 directly.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: f3d9478b2ce468c3115b02ecae7e975990697f15 Version: f3d9478b2ce468c3115b02ecae7e975990697f15 Version: f3d9478b2ce468c3115b02ecae7e975990697f15 Version: f3d9478b2ce468c3115b02ecae7e975990697f15 Version: f3d9478b2ce468c3115b02ecae7e975990697f15 Version: f3d9478b2ce468c3115b02ecae7e975990697f15 Version: f3d9478b2ce468c3115b02ecae7e975990697f15 Version: f3d9478b2ce468c3115b02ecae7e975990697f15 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/aoa/soundbus/i2sbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd410d24665e4efb3c1796797181265efe553e9c",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "802532a50acf501fdafe38a84ca2aa886d68af68",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "027fee10e3a400cf6f3237374a1248da1082807b",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "5bdea674534153110b90d70b02f2fbaf48b2c0eb",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "ce6fd1c382a38b75557db85a2fe99d285540a03d",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "e81d7826b8f40430a1ea1b330e24d9a9eb4512c4",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "c7524279c8ddc7dbf3463bec70e0289097959944",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "4a4c8482e370d697738a78dcd7bf2780832cb712",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/aoa/soundbus/i2sbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()\n\ndev_set_name() in soundbus_add_one() allocates memory for name, it need be\nfreed when of_device_register() fails, call soundbus_dev_put() to give up\nthe reference that hold in device_initialize(), so that it can be freed in\nkobject_cleanup() when the refcount hit to 0. And other resources are also\nfreed in i2sbus_release_dev(), so it can return 0 directly."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:09.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd410d24665e4efb3c1796797181265efe553e9c"
},
{
"url": "https://git.kernel.org/stable/c/802532a50acf501fdafe38a84ca2aa886d68af68"
},
{
"url": "https://git.kernel.org/stable/c/027fee10e3a400cf6f3237374a1248da1082807b"
},
{
"url": "https://git.kernel.org/stable/c/5bdea674534153110b90d70b02f2fbaf48b2c0eb"
},
{
"url": "https://git.kernel.org/stable/c/ce6fd1c382a38b75557db85a2fe99d285540a03d"
},
{
"url": "https://git.kernel.org/stable/c/e81d7826b8f40430a1ea1b330e24d9a9eb4512c4"
},
{
"url": "https://git.kernel.org/stable/c/c7524279c8ddc7dbf3463bec70e0289097959944"
},
{
"url": "https://git.kernel.org/stable/c/4a4c8482e370d697738a78dcd7bf2780832cb712"
}
],
"title": "ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50431",
"datePublished": "2025-10-01T11:42:09.700Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:09.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50457 (GCVE-0-2022-50457)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: core: Fix refcount error in del_mtd_device()
del_mtd_device() will call of_node_put() to mtd_get_of_node(mtd), which
is mtd->dev.of_node. However, memset(&mtd->dev, 0) is called before
of_node_put(). As the result, of_node_put() won't do anything in
del_mtd_device(), and causes the refcount leak.
del_mtd_device()
memset(&mtd->dev, 0, sizeof(mtd->dev) # clear mtd->dev
of_node_put()
mtd_get_of_node(mtd) # mtd->dev is cleared, can't locate of_node
# of_node_put(NULL) won't do anything
Fix the error by caching the pointer of the device_node.
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry: attach
overlay node /spi/spi-sram@0
CPU: 3 PID: 275 Comm: python3 Tainted: G N 6.1.0-rc3+ #54
0d8a1edddf51f172ff5226989a7565c6313b08e2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x67/0x83
kobject_get+0x155/0x160
of_node_get+0x1f/0x30
of_fwnode_get+0x43/0x70
fwnode_handle_get+0x54/0x80
fwnode_get_nth_parent+0xc9/0xe0
fwnode_full_name_string+0x3f/0xa0
device_node_string+0x30f/0x750
pointer+0x598/0x7a0
vsnprintf+0x62d/0x9b0
...
cfs_overlay_release+0x30/0x90
config_item_release+0xbe/0x1a0
config_item_put+0x5e/0x80
configfs_rmdir+0x3bd/0x540
vfs_rmdir+0x18c/0x320
do_rmdir+0x198/0x330
__x64_sys_rmdir+0x2c/0x40
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[<miquel.raynal@bootlin.com>: Light reword of the commit log]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdcore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6016557f1ef7735963bd8691592d2797bbf91d2",
"status": "affected",
"version": "00596576a05145a1b5672897a82ef87af00becf4",
"versionType": "git"
},
{
"lessThan": "616dc895d982026f41f500c88d1bfea004938cc8",
"status": "affected",
"version": "00596576a05145a1b5672897a82ef87af00becf4",
"versionType": "git"
},
{
"lessThan": "56570bdad5e31c5c538cd6efff5c4510256e1bb4",
"status": "affected",
"version": "00596576a05145a1b5672897a82ef87af00becf4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdcore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: core: Fix refcount error in del_mtd_device()\n\ndel_mtd_device() will call of_node_put() to mtd_get_of_node(mtd), which\nis mtd-\u003edev.of_node. However, memset(\u0026mtd-\u003edev, 0) is called before\nof_node_put(). As the result, of_node_put() won\u0027t do anything in\ndel_mtd_device(), and causes the refcount leak.\n\ndel_mtd_device()\n memset(\u0026mtd-\u003edev, 0, sizeof(mtd-\u003edev) # clear mtd-\u003edev\n of_node_put()\n mtd_get_of_node(mtd) # mtd-\u003edev is cleared, can\u0027t locate of_node\n # of_node_put(NULL) won\u0027t do anything\n\nFix the error by caching the pointer of the device_node.\n\nOF: ERROR: memory leak, expected refcount 1 instead of 2,\nof_node_get()/of_node_put() unbalanced - destroy cset entry: attach\noverlay node /spi/spi-sram@0\nCPU: 3 PID: 275 Comm: python3 Tainted: G N 6.1.0-rc3+ #54\n 0d8a1edddf51f172ff5226989a7565c6313b08e2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nCall Trace:\n\u003cTASK\u003e\n dump_stack_lvl+0x67/0x83\n kobject_get+0x155/0x160\n of_node_get+0x1f/0x30\n of_fwnode_get+0x43/0x70\n fwnode_handle_get+0x54/0x80\n fwnode_get_nth_parent+0xc9/0xe0\n fwnode_full_name_string+0x3f/0xa0\n device_node_string+0x30f/0x750\n pointer+0x598/0x7a0\n vsnprintf+0x62d/0x9b0\n ...\n cfs_overlay_release+0x30/0x90\n config_item_release+0xbe/0x1a0\n config_item_put+0x5e/0x80\n configfs_rmdir+0x3bd/0x540\n vfs_rmdir+0x18c/0x320\n do_rmdir+0x198/0x330\n __x64_sys_rmdir+0x2c/0x40\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n[\u003cmiquel.raynal@bootlin.com\u003e: Light reword of the commit log]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:30.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6016557f1ef7735963bd8691592d2797bbf91d2"
},
{
"url": "https://git.kernel.org/stable/c/616dc895d982026f41f500c88d1bfea004938cc8"
},
{
"url": "https://git.kernel.org/stable/c/56570bdad5e31c5c538cd6efff5c4510256e1bb4"
}
],
"title": "mtd: core: Fix refcount error in del_mtd_device()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50457",
"datePublished": "2025-10-01T11:45:30.263Z",
"dateReserved": "2025-10-01T11:38:45.640Z",
"dateUpdated": "2025-10-01T11:45:30.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53497 (GCVE-0-2023-53497)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()
The vsp1 driver uses the vb2_is_streaming() function in its .buf_queue()
handler to check if the .start_streaming() operation has been called,
and decide whether to just add the buffer to an internal queue, or also
trigger a hardware run. vb2_is_streaming() relies on the vb2_queue
structure's streaming field, which used to be set only after calling the
.start_streaming() operation.
Commit a10b21532574 ("media: vb2: add (un)prepare_streaming queue ops")
changed this, setting the .streaming field in vb2_core_streamon() before
enqueuing buffers to the driver and calling .start_streaming(). This
broke the vsp1 driver which now believes that .start_streaming() has
been called when it hasn't, leading to a crash:
[ 881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
[ 881.067495] Mem abort info:
[ 881.070290] ESR = 0x0000000096000006
[ 881.074042] EC = 0x25: DABT (current EL), IL = 32 bits
[ 881.079358] SET = 0, FnV = 0
[ 881.082414] EA = 0, S1PTW = 0
[ 881.085558] FSC = 0x06: level 2 translation fault
[ 881.090439] Data abort info:
[ 881.093320] ISV = 0, ISS = 0x00000006
[ 881.097157] CM = 0, WnR = 0
[ 881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000
[ 881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000
[ 881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
[ 881.123494] Modules linked in: rcar_fdp1 v4l2_mem2mem
[ 881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G B 6.2.0-rc1-00023-g6c94e2e99343 #556
[ 881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
[ 881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 881.152951] pc : vsp1_dl_list_add_body+0xa8/0xe0
[ 881.157580] lr : vsp1_dl_list_add_body+0x34/0xe0
[ 881.162206] sp : ffff80000c267710
[ 881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98
[ 881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8
[ 881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020
[ 881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000
[ 881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[ 881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d
[ 881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000
[ 881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001
[ 881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020
[ 881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000
[ 881.237092] Call trace:
[ 881.239542] vsp1_dl_list_add_body+0xa8/0xe0
[ 881.243822] vsp1_video_pipeline_run+0x270/0x2a0
[ 881.248449] vsp1_video_buffer_queue+0x1c0/0x1d0
[ 881.253076] __enqueue_in_driver+0xbc/0x260
[ 881.257269] vb2_start_streaming+0x48/0x200
[ 881.261461] vb2_core_streamon+0x13c/0x280
[ 881.265565] vb2_streamon+0x3c/0x90
[ 881.269064] vsp1_video_streamon+0x2fc/0x3e0
[ 881.273344] v4l_streamon+0x50/0x70
[ 881.276844] __video_do_ioctl+0x2bc/0x5d0
[ 881.280861] video_usercopy+0x2a8/0xc80
[ 881.284704] video_ioctl2+0x20/0x40
[ 881.288201] v4l2_ioctl+0xa4/0xc0
[ 881.291525] __arm64_sys_ioctl+0xe8/0x110
[ 881.295543] invoke_syscall+0x68/0x190
[ 881.299303] el0_svc_common.constprop.0+0x88/0x170
[ 881.304105] do_el0_svc+0x4c/0xf0
[ 881.307430] el0_svc+0x4c/0xa0
[ 881.310494] el0t_64_sync_handler+0xbc/0x140
[ 881.314773] el0t_64_sync+0x190/0x194
[ 881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60)
[ 881.324551] ---[ end trace 0000000000000000 ]---
[ 881.329173] note: yavta[1271] exited with preempt_count 1
A different r
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/renesas/vsp1/vsp1_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "960dc0aa4aa149f6f39125394f4feb51b7addc60",
"status": "affected",
"version": "a10b215325740376ed551814a37d1f8e9d6b1ced",
"versionType": "git"
},
{
"lessThan": "b54f74214adf4e77cba6badf488c564dd353b491",
"status": "affected",
"version": "a10b215325740376ed551814a37d1f8e9d6b1ced",
"versionType": "git"
},
{
"lessThan": "52d8caca3d533cc499f1255be25576ffd936ec95",
"status": "affected",
"version": "a10b215325740376ed551814a37d1f8e9d6b1ced",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/renesas/vsp1/vsp1_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()\n\nThe vsp1 driver uses the vb2_is_streaming() function in its .buf_queue()\nhandler to check if the .start_streaming() operation has been called,\nand decide whether to just add the buffer to an internal queue, or also\ntrigger a hardware run. vb2_is_streaming() relies on the vb2_queue\nstructure\u0027s streaming field, which used to be set only after calling the\n.start_streaming() operation.\n\nCommit a10b21532574 (\"media: vb2: add (un)prepare_streaming queue ops\")\nchanged this, setting the .streaming field in vb2_core_streamon() before\nenqueuing buffers to the driver and calling .start_streaming(). This\nbroke the vsp1 driver which now believes that .start_streaming() has\nbeen called when it hasn\u0027t, leading to a crash:\n\n[ 881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[ 881.067495] Mem abort info:\n[ 881.070290] ESR = 0x0000000096000006\n[ 881.074042] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 881.079358] SET = 0, FnV = 0\n[ 881.082414] EA = 0, S1PTW = 0\n[ 881.085558] FSC = 0x06: level 2 translation fault\n[ 881.090439] Data abort info:\n[ 881.093320] ISV = 0, ISS = 0x00000006\n[ 881.097157] CM = 0, WnR = 0\n[ 881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000\n[ 881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000\n[ 881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP\n[ 881.123494] Modules linked in: rcar_fdp1 v4l2_mem2mem\n[ 881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G B 6.2.0-rc1-00023-g6c94e2e99343 #556\n[ 881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n[ 881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 881.152951] pc : vsp1_dl_list_add_body+0xa8/0xe0\n[ 881.157580] lr : vsp1_dl_list_add_body+0x34/0xe0\n[ 881.162206] sp : ffff80000c267710\n[ 881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98\n[ 881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8\n[ 881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020\n[ 881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000\n[ 881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d\n[ 881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000\n[ 881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001\n[ 881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020\n[ 881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000\n[ 881.237092] Call trace:\n[ 881.239542] vsp1_dl_list_add_body+0xa8/0xe0\n[ 881.243822] vsp1_video_pipeline_run+0x270/0x2a0\n[ 881.248449] vsp1_video_buffer_queue+0x1c0/0x1d0\n[ 881.253076] __enqueue_in_driver+0xbc/0x260\n[ 881.257269] vb2_start_streaming+0x48/0x200\n[ 881.261461] vb2_core_streamon+0x13c/0x280\n[ 881.265565] vb2_streamon+0x3c/0x90\n[ 881.269064] vsp1_video_streamon+0x2fc/0x3e0\n[ 881.273344] v4l_streamon+0x50/0x70\n[ 881.276844] __video_do_ioctl+0x2bc/0x5d0\n[ 881.280861] video_usercopy+0x2a8/0xc80\n[ 881.284704] video_ioctl2+0x20/0x40\n[ 881.288201] v4l2_ioctl+0xa4/0xc0\n[ 881.291525] __arm64_sys_ioctl+0xe8/0x110\n[ 881.295543] invoke_syscall+0x68/0x190\n[ 881.299303] el0_svc_common.constprop.0+0x88/0x170\n[ 881.304105] do_el0_svc+0x4c/0xf0\n[ 881.307430] el0_svc+0x4c/0xa0\n[ 881.310494] el0t_64_sync_handler+0xbc/0x140\n[ 881.314773] el0t_64_sync+0x190/0x194\n[ 881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60)\n[ 881.324551] ---[ end trace 0000000000000000 ]---\n[ 881.329173] note: yavta[1271] exited with preempt_count 1\n\nA different r\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:48.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/960dc0aa4aa149f6f39125394f4feb51b7addc60"
},
{
"url": "https://git.kernel.org/stable/c/b54f74214adf4e77cba6badf488c564dd353b491"
},
{
"url": "https://git.kernel.org/stable/c/52d8caca3d533cc499f1255be25576ffd936ec95"
}
],
"title": "media: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53497",
"datePublished": "2025-10-01T11:45:48.728Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:48.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50447 (GCVE-0-2022-50447)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
When attempting to connect multiple ISO sockets without using
DEFER_SETUP may result in the following crash:
BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0
Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50
CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted
6.0.0-rc7-02243-gb84a13ff4eda #4373
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS 1.16.0-1.fc36 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x19/0x27
kasan_report+0xbc/0xf0
? hci_create_cis_sync+0x18b/0x2b0
hci_create_cis_sync+0x18b/0x2b0
? get_link_mode+0xd0/0xd0
? __ww_mutex_lock_slowpath+0x10/0x10
? mutex_lock+0xe0/0xe0
? get_link_mode+0xd0/0xd0
hci_cmd_sync_work+0x111/0x190
process_one_work+0x427/0x650
worker_thread+0x87/0x750
? process_one_work+0x650/0x650
kthread+0x14e/0x180
? kthread_exit+0x50/0x50
ret_from_fork+0x22/0x30
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a190cd9dc62d6ebeb679c1abe9dda4162dfefc84",
"status": "affected",
"version": "26afbd826ee326e63a334c37fd45e82e50a615ec",
"versionType": "git"
},
{
"lessThan": "09a3b0c9c7c6b10587fbb610b718014703cff341",
"status": "affected",
"version": "26afbd826ee326e63a334c37fd45e82e50a615ec",
"versionType": "git"
},
{
"lessThan": "50757a259ba78c4e938b5735e76ffec6cd0c942e",
"status": "affected",
"version": "26afbd826ee326e63a334c37fd45e82e50a615ec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix crash on hci_create_cis_sync\n\nWhen attempting to connect multiple ISO sockets without using\nDEFER_SETUP may result in the following crash:\n\nBUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0\nRead of size 2 at addr 0000000000000036 by task kworker/u3:1/50\n\nCPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted\n6.0.0-rc7-02243-gb84a13ff4eda #4373\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009),\nBIOS 1.16.0-1.fc36 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x19/0x27\n kasan_report+0xbc/0xf0\n ? hci_create_cis_sync+0x18b/0x2b0\n hci_create_cis_sync+0x18b/0x2b0\n ? get_link_mode+0xd0/0xd0\n ? __ww_mutex_lock_slowpath+0x10/0x10\n ? mutex_lock+0xe0/0xe0\n ? get_link_mode+0xd0/0xd0\n hci_cmd_sync_work+0x111/0x190\n process_one_work+0x427/0x650\n worker_thread+0x87/0x750\n ? process_one_work+0x650/0x650\n kthread+0x14e/0x180\n ? kthread_exit+0x50/0x50\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:21.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a190cd9dc62d6ebeb679c1abe9dda4162dfefc84"
},
{
"url": "https://git.kernel.org/stable/c/09a3b0c9c7c6b10587fbb610b718014703cff341"
},
{
"url": "https://git.kernel.org/stable/c/50757a259ba78c4e938b5735e76ffec6cd0c942e"
}
],
"title": "Bluetooth: hci_conn: Fix crash on hci_create_cis_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50447",
"datePublished": "2025-10-01T11:45:21.804Z",
"dateReserved": "2025-09-17T14:53:07.011Z",
"dateUpdated": "2025-10-01T11:45:21.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50421 (GCVE-0-2022-50421)
Vulnerability from cvelistv5
Published
2025-10-01 11:41
Modified
2025-10-01 11:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rpmsg: char: Avoid double destroy of default endpoint
The rpmsg_dev_remove() in rpmsg_core is the place for releasing
this default endpoint.
So need to avoid destroying the default endpoint in
rpmsg_chrdev_eptdev_destroy(), this should be the same as
rpmsg_eptdev_release(). Otherwise there will be double destroy
issue that ept->refcount report warning:
refcount_t: underflow; use-after-free.
Call trace:
refcount_warn_saturate+0xf8/0x150
virtio_rpmsg_destroy_ept+0xd4/0xec
rpmsg_dev_remove+0x60/0x70
The issue can be reproduced by stopping remoteproc before
closing the /dev/rpmsgX.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rpmsg/rpmsg_char.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef828a39d6a7028836eaf37df3ad568c8c2dd6f9",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
},
{
"lessThan": "3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
},
{
"lessThan": "467233a4ac29b215d492843d067a9f091e6bf0c5",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rpmsg/rpmsg_char.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: char: Avoid double destroy of default endpoint\n\nThe rpmsg_dev_remove() in rpmsg_core is the place for releasing\nthis default endpoint.\n\nSo need to avoid destroying the default endpoint in\nrpmsg_chrdev_eptdev_destroy(), this should be the same as\nrpmsg_eptdev_release(). Otherwise there will be double destroy\nissue that ept-\u003erefcount report warning:\n\nrefcount_t: underflow; use-after-free.\n\nCall trace:\n refcount_warn_saturate+0xf8/0x150\n virtio_rpmsg_destroy_ept+0xd4/0xec\n rpmsg_dev_remove+0x60/0x70\n\nThe issue can be reproduced by stopping remoteproc before\nclosing the /dev/rpmsgX."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:54.351Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef828a39d6a7028836eaf37df3ad568c8c2dd6f9"
},
{
"url": "https://git.kernel.org/stable/c/3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb"
},
{
"url": "https://git.kernel.org/stable/c/467233a4ac29b215d492843d067a9f091e6bf0c5"
}
],
"title": "rpmsg: char: Avoid double destroy of default endpoint",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50421",
"datePublished": "2025-10-01T11:41:54.351Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:54.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50460 (GCVE-0-2022-50460)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix xid leak in cifs_flock()
If not flock, before return -ENOLCK, should free the xid,
otherwise, the xid will be leaked.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d08311aa3056a84bfdc09bc47777de6a9b16c30",
"status": "affected",
"version": "d0677992d2af3d65f1c1c21de3323d09d4891537",
"versionType": "git"
},
{
"lessThan": "8905d13b9ede4caa88c577faed832d6c7383f4fb",
"status": "affected",
"version": "d0677992d2af3d65f1c1c21de3323d09d4891537",
"versionType": "git"
},
{
"lessThan": "f8c9b4a963fec5d0e37e3e8522bb19b0c28e1a73",
"status": "affected",
"version": "d0677992d2af3d65f1c1c21de3323d09d4891537",
"versionType": "git"
},
{
"lessThan": "575e079c782b9862ec2626403922d041a42e6ed6",
"status": "affected",
"version": "d0677992d2af3d65f1c1c21de3323d09d4891537",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_flock()\n\nIf not flock, before return -ENOLCK, should free the xid,\notherwise, the xid will be leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:32.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d08311aa3056a84bfdc09bc47777de6a9b16c30"
},
{
"url": "https://git.kernel.org/stable/c/8905d13b9ede4caa88c577faed832d6c7383f4fb"
},
{
"url": "https://git.kernel.org/stable/c/f8c9b4a963fec5d0e37e3e8522bb19b0c28e1a73"
},
{
"url": "https://git.kernel.org/stable/c/575e079c782b9862ec2626403922d041a42e6ed6"
}
],
"title": "cifs: Fix xid leak in cifs_flock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50460",
"datePublished": "2025-10-01T11:45:32.484Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:32.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53477 (GCVE-0-2023-53477)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Add lwtunnel encap size of all siblings in nexthop calculation
In function rt6_nlmsg_size(), the length of nexthop is calculated
by multipling the nexthop length of fib6_info and the number of
siblings. However if the fib6_info has no lwtunnel but the siblings
have lwtunnels, the nexthop length is less than it should be, and
it will trigger a warning in inet6_rt_notify() as follows:
WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130
......
Call Trace:
<TASK>
fib6_add_rt2node+0x685/0xa30
fib6_add+0x96/0x1b0
ip6_route_add+0x50/0xd0
inet6_rtm_newroute+0x97/0xa0
rtnetlink_rcv_msg+0x156/0x3d0
netlink_rcv_skb+0x5a/0x110
netlink_unicast+0x246/0x350
netlink_sendmsg+0x250/0x4c0
sock_sendmsg+0x66/0x70
___sys_sendmsg+0x7c/0xd0
__sys_sendmsg+0x5d/0xb0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
This bug can be reproduced by script:
ip -6 addr add 2002::2/64 dev ens2
ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100
for i in 10 20 30 40 50 60 70;
do
ip link add link ens2 name ipv_$i type ipvlan
ip -6 addr add 2002::$i/64 dev ipv_$i
ifconfig ipv_$i up
done
for i in 10 20 30 40 50 60;
do
ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1
dev ipv_$i metric 100
done
ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100
This patch fixes it by adding nexthop_len of every siblings using
rt6_nh_nlmsg_size().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: beb1afac518dec5a15dc92ba8f0ca016dcf457b4 Version: beb1afac518dec5a15dc92ba8f0ca016dcf457b4 Version: beb1afac518dec5a15dc92ba8f0ca016dcf457b4 Version: beb1afac518dec5a15dc92ba8f0ca016dcf457b4 Version: beb1afac518dec5a15dc92ba8f0ca016dcf457b4 Version: beb1afac518dec5a15dc92ba8f0ca016dcf457b4 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aba298b35619213ca787d08d472049627d8cd012",
"status": "affected",
"version": "beb1afac518dec5a15dc92ba8f0ca016dcf457b4",
"versionType": "git"
},
{
"lessThan": "da26369377f0b671c14692e2d65ceb38131053e1",
"status": "affected",
"version": "beb1afac518dec5a15dc92ba8f0ca016dcf457b4",
"versionType": "git"
},
{
"lessThan": "dcdddb5f490890d058ea1f194d661219e92fe88d",
"status": "affected",
"version": "beb1afac518dec5a15dc92ba8f0ca016dcf457b4",
"versionType": "git"
},
{
"lessThan": "e11e4d524eba2d3c8fdf897d7ce3853f7573bae9",
"status": "affected",
"version": "beb1afac518dec5a15dc92ba8f0ca016dcf457b4",
"versionType": "git"
},
{
"lessThan": "aa75d826c221e8d48607aef33836cf872a159cf1",
"status": "affected",
"version": "beb1afac518dec5a15dc92ba8f0ca016dcf457b4",
"versionType": "git"
},
{
"lessThan": "4cc59f386991ec9374cb4bc83dbe1c0b5a95033f",
"status": "affected",
"version": "beb1afac518dec5a15dc92ba8f0ca016dcf457b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Add lwtunnel encap size of all siblings in nexthop calculation\n\nIn function rt6_nlmsg_size(), the length of nexthop is calculated\nby multipling the nexthop length of fib6_info and the number of\nsiblings. However if the fib6_info has no lwtunnel but the siblings\nhave lwtunnels, the nexthop length is less than it should be, and\nit will trigger a warning in inet6_rt_notify() as follows:\n\nWARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130\n......\nCall Trace:\n \u003cTASK\u003e\n fib6_add_rt2node+0x685/0xa30\n fib6_add+0x96/0x1b0\n ip6_route_add+0x50/0xd0\n inet6_rtm_newroute+0x97/0xa0\n rtnetlink_rcv_msg+0x156/0x3d0\n netlink_rcv_skb+0x5a/0x110\n netlink_unicast+0x246/0x350\n netlink_sendmsg+0x250/0x4c0\n sock_sendmsg+0x66/0x70\n ___sys_sendmsg+0x7c/0xd0\n __sys_sendmsg+0x5d/0xb0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThis bug can be reproduced by script:\n\nip -6 addr add 2002::2/64 dev ens2\nip -6 route add 100::/64 via 2002::1 dev ens2 metric 100\n\nfor i in 10 20 30 40 50 60 70;\ndo\n\tip link add link ens2 name ipv_$i type ipvlan\n\tip -6 addr add 2002::$i/64 dev ipv_$i\n\tifconfig ipv_$i up\ndone\n\nfor i in 10 20 30 40 50 60;\ndo\n\tip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1\ndev ipv_$i metric 100\ndone\n\nip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100\n\nThis patch fixes it by adding nexthop_len of every siblings using\nrt6_nh_nlmsg_size()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:46.279Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aba298b35619213ca787d08d472049627d8cd012"
},
{
"url": "https://git.kernel.org/stable/c/da26369377f0b671c14692e2d65ceb38131053e1"
},
{
"url": "https://git.kernel.org/stable/c/dcdddb5f490890d058ea1f194d661219e92fe88d"
},
{
"url": "https://git.kernel.org/stable/c/e11e4d524eba2d3c8fdf897d7ce3853f7573bae9"
},
{
"url": "https://git.kernel.org/stable/c/aa75d826c221e8d48607aef33836cf872a159cf1"
},
{
"url": "https://git.kernel.org/stable/c/4cc59f386991ec9374cb4bc83dbe1c0b5a95033f"
}
],
"title": "ipv6: Add lwtunnel encap size of all siblings in nexthop calculation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53477",
"datePublished": "2025-10-01T11:42:46.279Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:46.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50429 (GCVE-0-2022-50429)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()
We should add the of_node_put() when breaking out of
for_each_child_of_node() as it will automatically increase
and decrease the refcount.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 976897dd96db94c74209d0a0671d7a73aa02fab9 Version: 976897dd96db94c74209d0a0671d7a73aa02fab9 Version: 976897dd96db94c74209d0a0671d7a73aa02fab9 Version: 976897dd96db94c74209d0a0671d7a73aa02fab9 Version: 976897dd96db94c74209d0a0671d7a73aa02fab9 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/memory/of_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d312c12c91f831fcc48623c921f2d4560edb159",
"status": "affected",
"version": "976897dd96db94c74209d0a0671d7a73aa02fab9",
"versionType": "git"
},
{
"lessThan": "7e053784c4c70df28324106d476778be7a4519b3",
"status": "affected",
"version": "976897dd96db94c74209d0a0671d7a73aa02fab9",
"versionType": "git"
},
{
"lessThan": "daab421fc2dc7d6ae7eb20a3f565ae09652c68b9",
"status": "affected",
"version": "976897dd96db94c74209d0a0671d7a73aa02fab9",
"versionType": "git"
},
{
"lessThan": "3b321bf7687968a090cf6b62bd8e67d692f59a16",
"status": "affected",
"version": "976897dd96db94c74209d0a0671d7a73aa02fab9",
"versionType": "git"
},
{
"lessThan": "48af14fb0eaa63d9aa68f59fb0b205ec55a95636",
"status": "affected",
"version": "976897dd96db94c74209d0a0671d7a73aa02fab9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/memory/of_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()\n\nWe should add the of_node_put() when breaking out of\nfor_each_child_of_node() as it will automatically increase\nand decrease the refcount."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:07.973Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d312c12c91f831fcc48623c921f2d4560edb159"
},
{
"url": "https://git.kernel.org/stable/c/7e053784c4c70df28324106d476778be7a4519b3"
},
{
"url": "https://git.kernel.org/stable/c/daab421fc2dc7d6ae7eb20a3f565ae09652c68b9"
},
{
"url": "https://git.kernel.org/stable/c/3b321bf7687968a090cf6b62bd8e67d692f59a16"
},
{
"url": "https://git.kernel.org/stable/c/48af14fb0eaa63d9aa68f59fb0b205ec55a95636"
}
],
"title": "memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50429",
"datePublished": "2025-10-01T11:42:07.973Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:07.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50452 (GCVE-0-2022-50452)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: cake: fix null pointer access issue when cake_init() fails
When the default qdisc is cake, if the qdisc of dev_queue fails to be
inited during mqprio_init(), cake_reset() is invoked to clear
resources. In this case, the tins is NULL, and it will cause gpf issue.
The process is as follows:
qdisc_create_dflt()
cake_init()
q->tins = kvcalloc(...) --->failed, q->tins is NULL
...
qdisc_put()
...
cake_reset()
...
cake_dequeue_one()
b = &q->tins[...] --->q->tins is NULL
The following is the Call Trace information:
general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:cake_dequeue_one+0xc9/0x3c0
Call Trace:
<TASK>
cake_reset+0xb1/0x140
qdisc_reset+0xed/0x6f0
qdisc_destroy+0x82/0x4c0
qdisc_put+0x9e/0xb0
qdisc_create_dflt+0x2c3/0x4a0
mqprio_init+0xa71/0x1760
qdisc_create+0x3eb/0x1000
tc_modify_qdisc+0x408/0x1720
rtnetlink_rcv_msg+0x38e/0xac0
netlink_rcv_skb+0x12d/0x3a0
netlink_unicast+0x4a2/0x740
netlink_sendmsg+0x826/0xcc0
sock_sendmsg+0xc5/0x100
____sys_sendmsg+0x583/0x690
___sys_sendmsg+0xe8/0x160
__sys_sendmsg+0xbf/0x160
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f89e5122d04
</TASK>
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 046f6fd5daefac7f5abdafb436b30f63bc7c602b Version: 046f6fd5daefac7f5abdafb436b30f63bc7c602b Version: 046f6fd5daefac7f5abdafb436b30f63bc7c602b Version: 046f6fd5daefac7f5abdafb436b30f63bc7c602b Version: 046f6fd5daefac7f5abdafb436b30f63bc7c602b Version: 046f6fd5daefac7f5abdafb436b30f63bc7c602b |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86aa1390898146f1de277bb6d2a8ed7fc7a43f12",
"status": "affected",
"version": "046f6fd5daefac7f5abdafb436b30f63bc7c602b",
"versionType": "git"
},
{
"lessThan": "bc8301ea7e7f1bb9d2ba2fcdf7b5ec2f0792b47e",
"status": "affected",
"version": "046f6fd5daefac7f5abdafb436b30f63bc7c602b",
"versionType": "git"
},
{
"lessThan": "ae48bee2830bf216800e1447baca39541e27a12e",
"status": "affected",
"version": "046f6fd5daefac7f5abdafb436b30f63bc7c602b",
"versionType": "git"
},
{
"lessThan": "154f4c06d9dbec1a14e91286c70b6305810302e0",
"status": "affected",
"version": "046f6fd5daefac7f5abdafb436b30f63bc7c602b",
"versionType": "git"
},
{
"lessThan": "1dc0a019550fd38ec6cab2d73c90df2bd659c96b",
"status": "affected",
"version": "046f6fd5daefac7f5abdafb436b30f63bc7c602b",
"versionType": "git"
},
{
"lessThan": "51f9a8921ceacd7bf0d3f47fa867a64988ba1dcb",
"status": "affected",
"version": "046f6fd5daefac7f5abdafb436b30f63bc7c602b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.221",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cake: fix null pointer access issue when cake_init() fails\n\nWhen the default qdisc is cake, if the qdisc of dev_queue fails to be\ninited during mqprio_init(), cake_reset() is invoked to clear\nresources. In this case, the tins is NULL, and it will cause gpf issue.\n\nThe process is as follows:\nqdisc_create_dflt()\n\tcake_init()\n\t\tq-\u003etins = kvcalloc(...) ---\u003efailed, q-\u003etins is NULL\n\t...\n\tqdisc_put()\n\t\t...\n\t\tcake_reset()\n\t\t\t...\n\t\t\tcake_dequeue_one()\n\t\t\t\tb = \u0026q-\u003etins[...] ---\u003eq-\u003etins is NULL\n\nThe following is the Call Trace information:\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:cake_dequeue_one+0xc9/0x3c0\nCall Trace:\n\u003cTASK\u003e\ncake_reset+0xb1/0x140\nqdisc_reset+0xed/0x6f0\nqdisc_destroy+0x82/0x4c0\nqdisc_put+0x9e/0xb0\nqdisc_create_dflt+0x2c3/0x4a0\nmqprio_init+0xa71/0x1760\nqdisc_create+0x3eb/0x1000\ntc_modify_qdisc+0x408/0x1720\nrtnetlink_rcv_msg+0x38e/0xac0\nnetlink_rcv_skb+0x12d/0x3a0\nnetlink_unicast+0x4a2/0x740\nnetlink_sendmsg+0x826/0xcc0\nsock_sendmsg+0xc5/0x100\n____sys_sendmsg+0x583/0x690\n___sys_sendmsg+0xe8/0x160\n__sys_sendmsg+0xbf/0x160\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f89e5122d04\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:25.394Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86aa1390898146f1de277bb6d2a8ed7fc7a43f12"
},
{
"url": "https://git.kernel.org/stable/c/bc8301ea7e7f1bb9d2ba2fcdf7b5ec2f0792b47e"
},
{
"url": "https://git.kernel.org/stable/c/ae48bee2830bf216800e1447baca39541e27a12e"
},
{
"url": "https://git.kernel.org/stable/c/154f4c06d9dbec1a14e91286c70b6305810302e0"
},
{
"url": "https://git.kernel.org/stable/c/1dc0a019550fd38ec6cab2d73c90df2bd659c96b"
},
{
"url": "https://git.kernel.org/stable/c/51f9a8921ceacd7bf0d3f47fa867a64988ba1dcb"
}
],
"title": "net: sched: cake: fix null pointer access issue when cake_init() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50452",
"datePublished": "2025-10-01T11:45:25.394Z",
"dateReserved": "2025-09-17T14:53:07.011Z",
"dateUpdated": "2025-10-01T11:45:25.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53484 (GCVE-0-2023-53484)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib: cpu_rmap: Avoid use after free on rmap->obj array entries
When calling irq_set_affinity_notifier() with NULL at the notify
argument, it will cause freeing of the glue pointer in the
corresponding array entry but will leave the pointer in the array. A
subsequent call to free_irq_cpu_rmap() will try to free this entry again
leading to possible use after free.
Fix that by setting NULL to the array entry and checking that we have
non-zero at the array entry when iterating over the array in
free_irq_cpu_rmap().
The current code does not suffer from this since there are no cases
where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the
notify arg) is called, followed by a call to free_irq_cpu_rmap() so we
don't hit and issue. Subsequent patches in this series excersize this
flow, hence the required fix.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/cpu_rmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "981f339d2905b6a92ef59358158b326493aecac5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d1308bd0b24cb1d78fa2747d5fa3e055cc628a48",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cc2d2b3dbfb0ba57bc027fb7e1121250c50e4000",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f748e15253833b771acbede14ea98f50831ac289",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c6ed54dd90698dc0744d669524cc1c122ded8a16",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9115f49cf260d24d8b5f2d9a4b63cb31a627bb4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "67bca5f1d644f4e79b694abd8052a177de81c37f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e0473f1060aa49621d40a113afde24818101d37",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/cpu_rmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: cpu_rmap: Avoid use after free on rmap-\u003eobj array entries\n\nWhen calling irq_set_affinity_notifier() with NULL at the notify\nargument, it will cause freeing of the glue pointer in the\ncorresponding array entry but will leave the pointer in the array. A\nsubsequent call to free_irq_cpu_rmap() will try to free this entry again\nleading to possible use after free.\n\nFix that by setting NULL to the array entry and checking that we have\nnon-zero at the array entry when iterating over the array in\nfree_irq_cpu_rmap().\n\nThe current code does not suffer from this since there are no cases\nwhere irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the\nnotify arg) is called, followed by a call to free_irq_cpu_rmap() so we\ndon\u0027t hit and issue. Subsequent patches in this series excersize this\nflow, hence the required fix."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:52.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/981f339d2905b6a92ef59358158b326493aecac5"
},
{
"url": "https://git.kernel.org/stable/c/d1308bd0b24cb1d78fa2747d5fa3e055cc628a48"
},
{
"url": "https://git.kernel.org/stable/c/cc2d2b3dbfb0ba57bc027fb7e1121250c50e4000"
},
{
"url": "https://git.kernel.org/stable/c/f748e15253833b771acbede14ea98f50831ac289"
},
{
"url": "https://git.kernel.org/stable/c/c6ed54dd90698dc0744d669524cc1c122ded8a16"
},
{
"url": "https://git.kernel.org/stable/c/c9115f49cf260d24d8b5f2d9a4b63cb31a627bb4"
},
{
"url": "https://git.kernel.org/stable/c/67bca5f1d644f4e79b694abd8052a177de81c37f"
},
{
"url": "https://git.kernel.org/stable/c/4e0473f1060aa49621d40a113afde24818101d37"
}
],
"title": "lib: cpu_rmap: Avoid use after free on rmap-\u003eobj array entries",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53484",
"datePublished": "2025-10-01T11:42:52.590Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:52.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50456 (GCVE-0-2022-50456)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix resolving backrefs for inline extent followed by prealloc
If a file consists of an inline extent followed by a regular or prealloc
extent, then a legitimate attempt to resolve a logical address in the
non-inline region will result in add_all_parents reading the invalid
offset field of the inline extent. If the inline extent item is placed
in the leaf eb s.t. it is the first item, attempting to access the
offset field will not only be meaningless, it will go past the end of
the eb and cause this panic:
[17.626048] BTRFS warning (device dm-2): bad eb member end: ptr 0x3fd4 start 30834688 member offset 16377 size 8
[17.631693] general protection fault, probably for non-canonical address 0x5088000000000: 0000 [#1] SMP PTI
[17.635041] CPU: 2 PID: 1267 Comm: btrfs Not tainted 5.12.0-07246-g75175d5adc74-dirty #199
[17.637969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[17.641995] RIP: 0010:btrfs_get_64+0xe7/0x110
[17.649890] RSP: 0018:ffffc90001f73a08 EFLAGS: 00010202
[17.651652] RAX: 0000000000000001 RBX: ffff88810c42d000 RCX: 0000000000000000
[17.653921] RDX: 0005088000000000 RSI: ffffc90001f73a0f RDI: 0000000000000001
[17.656174] RBP: 0000000000000ff9 R08: 0000000000000007 R09: c0000000fffeffff
[17.658441] R10: ffffc90001f73790 R11: ffffc90001f73788 R12: ffff888106afe918
[17.661070] R13: 0000000000003fd4 R14: 0000000000003f6f R15: cdcdcdcdcdcdcdcd
[17.663617] FS: 00007f64e7627d80(0000) GS:ffff888237c80000(0000) knlGS:0000000000000000
[17.666525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[17.668664] CR2: 000055d4a39152e8 CR3: 000000010c596002 CR4: 0000000000770ee0
[17.671253] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[17.673634] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[17.676034] PKRU: 55555554
[17.677004] Call Trace:
[17.677877] add_all_parents+0x276/0x480
[17.679325] find_parent_nodes+0xfae/0x1590
[17.680771] btrfs_find_all_leafs+0x5e/0xa0
[17.682217] iterate_extent_inodes+0xce/0x260
[17.683809] ? btrfs_inode_flags_to_xflags+0x50/0x50
[17.685597] ? iterate_inodes_from_logical+0xa1/0xd0
[17.687404] iterate_inodes_from_logical+0xa1/0xd0
[17.689121] ? btrfs_inode_flags_to_xflags+0x50/0x50
[17.691010] btrfs_ioctl_logical_to_ino+0x131/0x190
[17.692946] btrfs_ioctl+0x104a/0x2f60
[17.694384] ? selinux_file_ioctl+0x182/0x220
[17.695995] ? __x64_sys_ioctl+0x84/0xc0
[17.697394] __x64_sys_ioctl+0x84/0xc0
[17.698697] do_syscall_64+0x33/0x40
[17.700017] entry_SYSCALL_64_after_hwframe+0x44/0xae
[17.701753] RIP: 0033:0x7f64e72761b7
[17.709355] RSP: 002b:00007ffefb067f58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[17.712088] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f64e72761b7
[17.714667] RDX: 00007ffefb067fb0 RSI: 00000000c0389424 RDI: 0000000000000003
[17.717386] RBP: 00007ffefb06d188 R08: 000055d4a390d2b0 R09: 00007f64e7340a60
[17.719938] R10: 0000000000000231 R11: 0000000000000246 R12: 0000000000000001
[17.722383] R13: 0000000000000000 R14: 00000000c0389424 R15: 000055d4a38fd2a0
[17.724839] Modules linked in:
Fix the bug by detecting the inline extent item in add_all_parents and
skipping to the next extent item.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/backref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c59ee1528b3432ec9dca220567f7eb507820917a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0061ab5153fb8bc574b44fbb773680d0ede48c9c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99590f29b2b7567fda2b503aa3d81a0d3e09dce5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "645e2dac6e97f756f28a2f82b2e7bf7f29a68827",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a94b90ac1f251d1007c0c43ee289a61b50f2505f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "560840afc3e63bbe5d9c5ef6b2ecf8f3589adff6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/backref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix resolving backrefs for inline extent followed by prealloc\n\nIf a file consists of an inline extent followed by a regular or prealloc\nextent, then a legitimate attempt to resolve a logical address in the\nnon-inline region will result in add_all_parents reading the invalid\noffset field of the inline extent. If the inline extent item is placed\nin the leaf eb s.t. it is the first item, attempting to access the\noffset field will not only be meaningless, it will go past the end of\nthe eb and cause this panic:\n\n [17.626048] BTRFS warning (device dm-2): bad eb member end: ptr 0x3fd4 start 30834688 member offset 16377 size 8\n [17.631693] general protection fault, probably for non-canonical address 0x5088000000000: 0000 [#1] SMP PTI\n [17.635041] CPU: 2 PID: 1267 Comm: btrfs Not tainted 5.12.0-07246-g75175d5adc74-dirty #199\n [17.637969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [17.641995] RIP: 0010:btrfs_get_64+0xe7/0x110\n [17.649890] RSP: 0018:ffffc90001f73a08 EFLAGS: 00010202\n [17.651652] RAX: 0000000000000001 RBX: ffff88810c42d000 RCX: 0000000000000000\n [17.653921] RDX: 0005088000000000 RSI: ffffc90001f73a0f RDI: 0000000000000001\n [17.656174] RBP: 0000000000000ff9 R08: 0000000000000007 R09: c0000000fffeffff\n [17.658441] R10: ffffc90001f73790 R11: ffffc90001f73788 R12: ffff888106afe918\n [17.661070] R13: 0000000000003fd4 R14: 0000000000003f6f R15: cdcdcdcdcdcdcdcd\n [17.663617] FS: 00007f64e7627d80(0000) GS:ffff888237c80000(0000) knlGS:0000000000000000\n [17.666525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [17.668664] CR2: 000055d4a39152e8 CR3: 000000010c596002 CR4: 0000000000770ee0\n [17.671253] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [17.673634] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [17.676034] PKRU: 55555554\n [17.677004] Call Trace:\n [17.677877] add_all_parents+0x276/0x480\n [17.679325] find_parent_nodes+0xfae/0x1590\n [17.680771] btrfs_find_all_leafs+0x5e/0xa0\n [17.682217] iterate_extent_inodes+0xce/0x260\n [17.683809] ? btrfs_inode_flags_to_xflags+0x50/0x50\n [17.685597] ? iterate_inodes_from_logical+0xa1/0xd0\n [17.687404] iterate_inodes_from_logical+0xa1/0xd0\n [17.689121] ? btrfs_inode_flags_to_xflags+0x50/0x50\n [17.691010] btrfs_ioctl_logical_to_ino+0x131/0x190\n [17.692946] btrfs_ioctl+0x104a/0x2f60\n [17.694384] ? selinux_file_ioctl+0x182/0x220\n [17.695995] ? __x64_sys_ioctl+0x84/0xc0\n [17.697394] __x64_sys_ioctl+0x84/0xc0\n [17.698697] do_syscall_64+0x33/0x40\n [17.700017] entry_SYSCALL_64_after_hwframe+0x44/0xae\n [17.701753] RIP: 0033:0x7f64e72761b7\n [17.709355] RSP: 002b:00007ffefb067f58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n [17.712088] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f64e72761b7\n [17.714667] RDX: 00007ffefb067fb0 RSI: 00000000c0389424 RDI: 0000000000000003\n [17.717386] RBP: 00007ffefb06d188 R08: 000055d4a390d2b0 R09: 00007f64e7340a60\n [17.719938] R10: 0000000000000231 R11: 0000000000000246 R12: 0000000000000001\n [17.722383] R13: 0000000000000000 R14: 00000000c0389424 R15: 000055d4a38fd2a0\n [17.724839] Modules linked in:\n\nFix the bug by detecting the inline extent item in add_all_parents and\nskipping to the next extent item."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:29.587Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c59ee1528b3432ec9dca220567f7eb507820917a"
},
{
"url": "https://git.kernel.org/stable/c/0061ab5153fb8bc574b44fbb773680d0ede48c9c"
},
{
"url": "https://git.kernel.org/stable/c/99590f29b2b7567fda2b503aa3d81a0d3e09dce5"
},
{
"url": "https://git.kernel.org/stable/c/645e2dac6e97f756f28a2f82b2e7bf7f29a68827"
},
{
"url": "https://git.kernel.org/stable/c/a94b90ac1f251d1007c0c43ee289a61b50f2505f"
},
{
"url": "https://git.kernel.org/stable/c/560840afc3e63bbe5d9c5ef6b2ecf8f3589adff6"
}
],
"title": "btrfs: fix resolving backrefs for inline extent followed by prealloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50456",
"datePublished": "2025-10-01T11:45:29.587Z",
"dateReserved": "2025-10-01T11:38:45.640Z",
"dateUpdated": "2025-10-01T11:45:29.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53506 (GCVE-0-2023-53506)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Do not bother merging very long extents
When merging very long extents we try to push as much length as possible
to the first extent. However this is unnecessarily complicated and not
really worth the trouble. Furthermore there was a bug in the logic
resulting in corrupting extents in the file as syzbot reproducer shows.
So just don't bother with the merging of extents that are too long
together.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d52252a1de4cf96a34f722b0cd8902d8ff78eb57",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5d029799d381a9ee06209a222cae75f04c5d5304",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3d20e3b768aff32112bdce8d3219d923ae75f9f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "965982feb333aefa9256c0fe188b5f1b958aef63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9a8d602f0723586e668bae7e65c832ceb9bcc8bc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "adac9ac6d2e04ea0782b91a00ba10706002f3ec4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a965da79f2d22601f329cbfce588386b0847544",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Do not bother merging very long extents\n\nWhen merging very long extents we try to push as much length as possible\nto the first extent. However this is unnecessarily complicated and not\nreally worth the trouble. Furthermore there was a bug in the logic\nresulting in corrupting extents in the file as syzbot reproducer shows.\nSo just don\u0027t bother with the merging of extents that are too long\ntogether."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:56.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d52252a1de4cf96a34f722b0cd8902d8ff78eb57"
},
{
"url": "https://git.kernel.org/stable/c/5d029799d381a9ee06209a222cae75f04c5d5304"
},
{
"url": "https://git.kernel.org/stable/c/3d20e3b768aff32112bdce8d3219d923ae75f9f1"
},
{
"url": "https://git.kernel.org/stable/c/965982feb333aefa9256c0fe188b5f1b958aef63"
},
{
"url": "https://git.kernel.org/stable/c/9a8d602f0723586e668bae7e65c832ceb9bcc8bc"
},
{
"url": "https://git.kernel.org/stable/c/adac9ac6d2e04ea0782b91a00ba10706002f3ec4"
},
{
"url": "https://git.kernel.org/stable/c/7a965da79f2d22601f329cbfce588386b0847544"
},
{
"url": "https://git.kernel.org/stable/c/53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced"
}
],
"title": "udf: Do not bother merging very long extents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53506",
"datePublished": "2025-10-01T11:45:56.616Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2025-10-01T11:45:56.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53499 (GCVE-0-2023-53499)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_net: Fix error unwinding of XDP initialization
When initializing XDP in virtnet_open(), some rq xdp initialization
may hit an error causing net device open failed. However, previous
rqs have already initialized XDP and enabled NAPI, which is not the
expected behavior. Need to roll back the previous rq initialization
to avoid leaks in error unwinding of init code.
Also extract helper functions of disable and enable queue pairs.
Use newly introduced disable helper function in error unwinding and
virtnet_close. Use enable helper function in virtnet_open.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a7690f2bd178eee80f33411ae32e543ae66379c",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
},
{
"lessThan": "73f53bc295727a3cdbd9d6bcdfaa239258970cf4",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
},
{
"lessThan": "037768b28e3752c07d63d1c72a651a6775b080bb",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
},
{
"lessThan": "5306623a9826aa7d63b32c6a3803c798a765474d",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix error unwinding of XDP initialization\n\nWhen initializing XDP in virtnet_open(), some rq xdp initialization\nmay hit an error causing net device open failed. However, previous\nrqs have already initialized XDP and enabled NAPI, which is not the\nexpected behavior. Need to roll back the previous rq initialization\nto avoid leaks in error unwinding of init code.\n\nAlso extract helper functions of disable and enable queue pairs.\nUse newly introduced disable helper function in error unwinding and\nvirtnet_close. Use enable helper function in virtnet_open."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:50.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a7690f2bd178eee80f33411ae32e543ae66379c"
},
{
"url": "https://git.kernel.org/stable/c/73f53bc295727a3cdbd9d6bcdfaa239258970cf4"
},
{
"url": "https://git.kernel.org/stable/c/037768b28e3752c07d63d1c72a651a6775b080bb"
},
{
"url": "https://git.kernel.org/stable/c/5306623a9826aa7d63b32c6a3803c798a765474d"
}
],
"title": "virtio_net: Fix error unwinding of XDP initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53499",
"datePublished": "2025-10-01T11:45:50.367Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:50.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50438 (GCVE-0-2022-50438)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hinic: fix memory leak when reading function table
When the input parameter idx meets the expected case option in
hinic_dbg_get_func_table(), read_data is not released. Fix it.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/huawei/hinic/hinic_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb01910763f935b16538084b4269696e0de17f79",
"status": "affected",
"version": "5215e16244ee5889cc6135381acdbf4cbcb7905a",
"versionType": "git"
},
{
"lessThan": "e6765fe8de372a84f8dbe9e03ec13c7c70f946b8",
"status": "affected",
"version": "5215e16244ee5889cc6135381acdbf4cbcb7905a",
"versionType": "git"
},
{
"lessThan": "ee98ab337036c983239aa550850861c88a5c4262",
"status": "affected",
"version": "5215e16244ee5889cc6135381acdbf4cbcb7905a",
"versionType": "git"
},
{
"lessThan": "4c1f602df8956bc0decdafd7e4fc7eef50c550b1",
"status": "affected",
"version": "5215e16244ee5889cc6135381acdbf4cbcb7905a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/huawei/hinic/hinic_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hinic: fix memory leak when reading function table\n\nWhen the input parameter idx meets the expected case option in\nhinic_dbg_get_func_table(), read_data is not released. Fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:15.118Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb01910763f935b16538084b4269696e0de17f79"
},
{
"url": "https://git.kernel.org/stable/c/e6765fe8de372a84f8dbe9e03ec13c7c70f946b8"
},
{
"url": "https://git.kernel.org/stable/c/ee98ab337036c983239aa550850861c88a5c4262"
},
{
"url": "https://git.kernel.org/stable/c/4c1f602df8956bc0decdafd7e4fc7eef50c550b1"
}
],
"title": "net: hinic: fix memory leak when reading function table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50438",
"datePublished": "2025-10-01T11:42:15.118Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:15.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50425 (GCVE-0-2022-50425)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly
When an extended state component is not present in fpstate, but in init
state, the function copies from init_fpstate via copy_feature().
But, dynamic states are not present in init_fpstate because of all-zeros
init states. Then retrieving them from init_fpstate will explode like this:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
RIP: 0010:memcpy_erms+0x6/0x10
? __copy_xstate_to_uabi_buf+0x381/0x870
fpu_copy_guest_fpstate_to_uabi+0x28/0x80
kvm_arch_vcpu_ioctl+0x14c/0x1460 [kvm]
? __this_cpu_preempt_check+0x13/0x20
? vmx_vcpu_put+0x2e/0x260 [kvm_intel]
kvm_vcpu_ioctl+0xea/0x6b0 [kvm]
? kvm_vcpu_ioctl+0xea/0x6b0 [kvm]
? __fget_light+0xd4/0x130
__x64_sys_ioctl+0xe3/0x910
? debug_smp_processor_id+0x17/0x20
? fpregs_assert_state_consistent+0x27/0x50
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Adjust the 'mask' to zero out the userspace buffer for the features that
are not available both from fpstate and from init_fpstate.
The dynamic features depend on the compacted XSAVE format. Ensure it is
enabled before reading XCOMP_BV in init_fpstate.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/xstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ff29642fd28965a8f8d6d326ac91bf6075f3113",
"status": "affected",
"version": "2308ee57d93d896618dd65c996429c9d3e469fe0",
"versionType": "git"
},
{
"lessThan": "471f0aa7fa64e23766a1473b32d9ec3f0718895a",
"status": "affected",
"version": "2308ee57d93d896618dd65c996429c9d3e469fe0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/xstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly\n\nWhen an extended state component is not present in fpstate, but in init\nstate, the function copies from init_fpstate via copy_feature().\n\nBut, dynamic states are not present in init_fpstate because of all-zeros\ninit states. Then retrieving them from init_fpstate will explode like this:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ...\n RIP: 0010:memcpy_erms+0x6/0x10\n ? __copy_xstate_to_uabi_buf+0x381/0x870\n fpu_copy_guest_fpstate_to_uabi+0x28/0x80\n kvm_arch_vcpu_ioctl+0x14c/0x1460 [kvm]\n ? __this_cpu_preempt_check+0x13/0x20\n ? vmx_vcpu_put+0x2e/0x260 [kvm_intel]\n kvm_vcpu_ioctl+0xea/0x6b0 [kvm]\n ? kvm_vcpu_ioctl+0xea/0x6b0 [kvm]\n ? __fget_light+0xd4/0x130\n __x64_sys_ioctl+0xe3/0x910\n ? debug_smp_processor_id+0x17/0x20\n ? fpregs_assert_state_consistent+0x27/0x50\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAdjust the \u0027mask\u0027 to zero out the userspace buffer for the features that\nare not available both from fpstate and from init_fpstate.\n\nThe dynamic features depend on the compacted XSAVE format. Ensure it is\nenabled before reading XCOMP_BV in init_fpstate."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:04.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ff29642fd28965a8f8d6d326ac91bf6075f3113"
},
{
"url": "https://git.kernel.org/stable/c/471f0aa7fa64e23766a1473b32d9ec3f0718895a"
}
],
"title": "x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50425",
"datePublished": "2025-10-01T11:42:04.776Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:42:04.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50449 (GCVE-0-2022-50449)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: samsung: Fix memory leak in _samsung_clk_register_pll()
If clk_register() fails, @pll->rate_table may have allocated memory by
kmemdup(), so it needs to be freed, otherwise will cause memory leak
issue, this patch fixes it.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 3ff6e0d8d64d594a551b5c4904e4b617bf7eee22 Version: 3ff6e0d8d64d594a551b5c4904e4b617bf7eee22 Version: 3ff6e0d8d64d594a551b5c4904e4b617bf7eee22 Version: 3ff6e0d8d64d594a551b5c4904e4b617bf7eee22 Version: 3ff6e0d8d64d594a551b5c4904e4b617bf7eee22 Version: 3ff6e0d8d64d594a551b5c4904e4b617bf7eee22 Version: 3ff6e0d8d64d594a551b5c4904e4b617bf7eee22 Version: 3ff6e0d8d64d594a551b5c4904e4b617bf7eee22 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/samsung/clk-pll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b738276a596fa101d320591e9fa84ea0fc3f713",
"status": "affected",
"version": "3ff6e0d8d64d594a551b5c4904e4b617bf7eee22",
"versionType": "git"
},
{
"lessThan": "2e8dc0626fe86ae08914478dec1419618c557bc0",
"status": "affected",
"version": "3ff6e0d8d64d594a551b5c4904e4b617bf7eee22",
"versionType": "git"
},
{
"lessThan": "a00b4e0fa27317957536abf8f5d6a96d6cb9d9be",
"status": "affected",
"version": "3ff6e0d8d64d594a551b5c4904e4b617bf7eee22",
"versionType": "git"
},
{
"lessThan": "da13355bb9961316d124f94dfc7a1385d0fb035a",
"status": "affected",
"version": "3ff6e0d8d64d594a551b5c4904e4b617bf7eee22",
"versionType": "git"
},
{
"lessThan": "4e501a31af8efa593a2f003637b56d00b75dca23",
"status": "affected",
"version": "3ff6e0d8d64d594a551b5c4904e4b617bf7eee22",
"versionType": "git"
},
{
"lessThan": "4887ec922e407b4feaf060c7b099482a5c52dee3",
"status": "affected",
"version": "3ff6e0d8d64d594a551b5c4904e4b617bf7eee22",
"versionType": "git"
},
{
"lessThan": "a35323218ff32782d051d2643912311a22e07b6a",
"status": "affected",
"version": "3ff6e0d8d64d594a551b5c4904e4b617bf7eee22",
"versionType": "git"
},
{
"lessThan": "5174e5b0d1b669a489524192b6adcbb3c54ebc72",
"status": "affected",
"version": "3ff6e0d8d64d594a551b5c4904e4b617bf7eee22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/samsung/clk-pll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: samsung: Fix memory leak in _samsung_clk_register_pll()\n\nIf clk_register() fails, @pll-\u003erate_table may have allocated memory by\nkmemdup(), so it needs to be freed, otherwise will cause memory leak\nissue, this patch fixes it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:23.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b738276a596fa101d320591e9fa84ea0fc3f713"
},
{
"url": "https://git.kernel.org/stable/c/2e8dc0626fe86ae08914478dec1419618c557bc0"
},
{
"url": "https://git.kernel.org/stable/c/a00b4e0fa27317957536abf8f5d6a96d6cb9d9be"
},
{
"url": "https://git.kernel.org/stable/c/da13355bb9961316d124f94dfc7a1385d0fb035a"
},
{
"url": "https://git.kernel.org/stable/c/4e501a31af8efa593a2f003637b56d00b75dca23"
},
{
"url": "https://git.kernel.org/stable/c/4887ec922e407b4feaf060c7b099482a5c52dee3"
},
{
"url": "https://git.kernel.org/stable/c/a35323218ff32782d051d2643912311a22e07b6a"
},
{
"url": "https://git.kernel.org/stable/c/5174e5b0d1b669a489524192b6adcbb3c54ebc72"
}
],
"title": "clk: samsung: Fix memory leak in _samsung_clk_register_pll()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50449",
"datePublished": "2025-10-01T11:45:23.226Z",
"dateReserved": "2025-09-17T14:53:07.011Z",
"dateUpdated": "2025-10-01T11:45:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53520 (GCVE-0-2023-53520)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix hci_suspend_sync crash
If hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier
may still be accessing it, it can cause the program to crash.
Here's the call trace:
<4>[102152.653246] Call Trace:
<4>[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]
<4>[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]
<4>[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]
<4>[102152.653268] notifier_call_chain+0x43/0x6b
<4>[102152.653271] __blocking_notifier_call_chain+0x48/0x69
<4>[102152.653273] __pm_notifier_call_chain+0x22/0x39
<4>[102152.653276] pm_suspend+0x287/0x57c
<4>[102152.653278] state_store+0xae/0xe5
<4>[102152.653281] kernfs_fop_write+0x109/0x173
<4>[102152.653284] __vfs_write+0x16f/0x1a2
<4>[102152.653287] ? selinux_file_permission+0xca/0x16f
<4>[102152.653289] ? security_file_permission+0x36/0x109
<4>[102152.653291] vfs_write+0x114/0x21d
<4>[102152.653293] __x64_sys_write+0x7b/0xdb
<4>[102152.653296] do_syscall_64+0x59/0x194
<4>[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
This patch holds the reference count of the hci_dev object while
processing it in hci_suspend_notifier to avoid potential crash
caused by the race condition.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06e2b5ad72b60f90bfe565c201346532e271f484",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9c8ce5d665653e3cf71a76349d41d7a7f7947e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "573ebae162111063eedc6c838a659ba628f66a0f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix hci_suspend_sync crash\n\nIf hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier\nmay still be accessing it, it can cause the program to crash.\nHere\u0027s the call trace:\n \u003c4\u003e[102152.653246] Call Trace:\n \u003c4\u003e[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]\n \u003c4\u003e[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]\n \u003c4\u003e[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]\n \u003c4\u003e[102152.653268] notifier_call_chain+0x43/0x6b\n \u003c4\u003e[102152.653271] __blocking_notifier_call_chain+0x48/0x69\n \u003c4\u003e[102152.653273] __pm_notifier_call_chain+0x22/0x39\n \u003c4\u003e[102152.653276] pm_suspend+0x287/0x57c\n \u003c4\u003e[102152.653278] state_store+0xae/0xe5\n \u003c4\u003e[102152.653281] kernfs_fop_write+0x109/0x173\n \u003c4\u003e[102152.653284] __vfs_write+0x16f/0x1a2\n \u003c4\u003e[102152.653287] ? selinux_file_permission+0xca/0x16f\n \u003c4\u003e[102152.653289] ? security_file_permission+0x36/0x109\n \u003c4\u003e[102152.653291] vfs_write+0x114/0x21d\n \u003c4\u003e[102152.653293] __x64_sys_write+0x7b/0xdb\n \u003c4\u003e[102152.653296] do_syscall_64+0x59/0x194\n \u003c4\u003e[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1\n\nThis patch holds the reference count of the hci_dev object while\nprocessing it in hci_suspend_notifier to avoid potential crash\ncaused by the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:07.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06e2b5ad72b60f90bfe565c201346532e271f484"
},
{
"url": "https://git.kernel.org/stable/c/f9c8ce5d665653e3cf71a76349d41d7a7f7947e6"
},
{
"url": "https://git.kernel.org/stable/c/573ebae162111063eedc6c838a659ba628f66a0f"
}
],
"title": "Bluetooth: Fix hci_suspend_sync crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53520",
"datePublished": "2025-10-01T11:46:07.355Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:07.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50462 (GCVE-0-2022-50462)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
MIPS: vpe-mt: fix possible memory leak while module exiting
Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
bus_id string array"), the name of device is allocated dynamically,
it need be freed when module exiting, call put_device() to give up
reference, so that it can be freed in kobject_cleanup() when the
refcount hit to 0. The vpe_device is static, so remove kfree() from
vpe_device_release().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/mips/kernel/vpe-mt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "170e9913c2ed5cfc37c0adf0fdbd368d2d8d8168",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "9d180e0bb21c57bd6cca2adeb672d3b522e910b5",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "851ae5640875f06494e40002cd503b11a634c6fb",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "b3325a443525e3b89151879b834519b21c5e3011",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "48d42f4464d713fbdd79f334fdcd6e5be534cc67",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "e820a8192ff68570100347855b567512aec43819",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "b191dde84e40624d5577f64db0ec922c5c0ec57c",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "ab3d47c1fd0202821abd473ca87580faafd47847",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "5822e8cc84ee37338ab0bdc3124f6eec04dc232d",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/mips/kernel/vpe-mt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: vpe-mt: fix possible memory leak while module exiting\n\nAfer commit 1fa5ae857bb1 (\"driver core: get rid of struct device\u0027s\nbus_id string array\"), the name of device is allocated dynamically,\nit need be freed when module exiting, call put_device() to give up\nreference, so that it can be freed in kobject_cleanup() when the\nrefcount hit to 0. The vpe_device is static, so remove kfree() from\nvpe_device_release()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:34.107Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/170e9913c2ed5cfc37c0adf0fdbd368d2d8d8168"
},
{
"url": "https://git.kernel.org/stable/c/9d180e0bb21c57bd6cca2adeb672d3b522e910b5"
},
{
"url": "https://git.kernel.org/stable/c/851ae5640875f06494e40002cd503b11a634c6fb"
},
{
"url": "https://git.kernel.org/stable/c/b3325a443525e3b89151879b834519b21c5e3011"
},
{
"url": "https://git.kernel.org/stable/c/48d42f4464d713fbdd79f334fdcd6e5be534cc67"
},
{
"url": "https://git.kernel.org/stable/c/e820a8192ff68570100347855b567512aec43819"
},
{
"url": "https://git.kernel.org/stable/c/b191dde84e40624d5577f64db0ec922c5c0ec57c"
},
{
"url": "https://git.kernel.org/stable/c/ab3d47c1fd0202821abd473ca87580faafd47847"
},
{
"url": "https://git.kernel.org/stable/c/5822e8cc84ee37338ab0bdc3124f6eec04dc232d"
}
],
"title": "MIPS: vpe-mt: fix possible memory leak while module exiting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50462",
"datePublished": "2025-10-01T11:45:34.107Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:34.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53449 (GCVE-0-2023-53449)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/dasd: Fix potential memleak in dasd_eckd_init()
`dasd_reserve_req` is allocated before `dasd_vol_info_req`, and it
also needs to be freed before the error returns, just like the other
cases in this function.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 9e12e54c7a8f616190beffb0f7ce778a86aec175 Version: 9e12e54c7a8f616190beffb0f7ce778a86aec175 Version: 9e12e54c7a8f616190beffb0f7ce778a86aec175 Version: 9e12e54c7a8f616190beffb0f7ce778a86aec175 Version: 9e12e54c7a8f616190beffb0f7ce778a86aec175 Version: 9e12e54c7a8f616190beffb0f7ce778a86aec175 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/block/dasd_eckd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee986d80acdef710a886be404308188ea11000c8",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "a50e28d433acf22258f9f34831057387f04ef074",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "544a552be0869231799784279d52704c4d314d33",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "ef3a7ffc0a6f833578bc8d1dcb79d0633c7e4ec3",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "aede5230d154b6b237985ec9df7ebbd1dce96810",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "460e9bed82e49db1b823dcb4e421783854d86c40",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/block/dasd_eckd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: Fix potential memleak in dasd_eckd_init()\n\n`dasd_reserve_req` is allocated before `dasd_vol_info_req`, and it\nalso needs to be freed before the error returns, just like the other\ncases in this function."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:21.371Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee986d80acdef710a886be404308188ea11000c8"
},
{
"url": "https://git.kernel.org/stable/c/a50e28d433acf22258f9f34831057387f04ef074"
},
{
"url": "https://git.kernel.org/stable/c/544a552be0869231799784279d52704c4d314d33"
},
{
"url": "https://git.kernel.org/stable/c/ef3a7ffc0a6f833578bc8d1dcb79d0633c7e4ec3"
},
{
"url": "https://git.kernel.org/stable/c/aede5230d154b6b237985ec9df7ebbd1dce96810"
},
{
"url": "https://git.kernel.org/stable/c/460e9bed82e49db1b823dcb4e421783854d86c40"
}
],
"title": "s390/dasd: Fix potential memleak in dasd_eckd_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53449",
"datePublished": "2025-10-01T11:42:21.371Z",
"dateReserved": "2025-09-17T14:54:09.753Z",
"dateUpdated": "2025-10-01T11:42:21.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53466 (GCVE-0-2023-53466)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7915: fix memory leak in mt7915_mcu_exit
Always purge mcu skb queues in mt7915_mcu_exit routine even if
mt7915_firmware_state fails.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7915/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cbb876153b63fe248200f734069c6881cf97722",
"status": "affected",
"version": "e57b7901469fc0b021930b83a8094baaf3d81b09",
"versionType": "git"
},
{
"lessThan": "3095fe1e1d3198e62a3c7116c4cf7c734871475f",
"status": "affected",
"version": "e57b7901469fc0b021930b83a8094baaf3d81b09",
"versionType": "git"
},
{
"lessThan": "49bd78282e79ad177d14f37f4049f0605bf92dad",
"status": "affected",
"version": "e57b7901469fc0b021930b83a8094baaf3d81b09",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7915/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: fix memory leak in mt7915_mcu_exit\n\nAlways purge mcu skb queues in mt7915_mcu_exit routine even if\nmt7915_firmware_state fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:36.809Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cbb876153b63fe248200f734069c6881cf97722"
},
{
"url": "https://git.kernel.org/stable/c/3095fe1e1d3198e62a3c7116c4cf7c734871475f"
},
{
"url": "https://git.kernel.org/stable/c/49bd78282e79ad177d14f37f4049f0605bf92dad"
}
],
"title": "wifi: mt76: mt7915: fix memory leak in mt7915_mcu_exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53466",
"datePublished": "2025-10-01T11:42:36.809Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:36.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50459 (GCVE-0-2022-50459)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
Fix a NULL pointer crash that occurs when we are freeing the socket at the
same time we access it via sysfs.
The problem is that:
1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take
the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()
does a get on the "struct sock".
2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put
on the "struct socket" and that does __sock_release() which sets the
sock->ops to NULL.
3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then
call kernel_getpeername() which accesses the NULL sock->ops.
Above we do a get on the "struct sock", but we needed a get on the "struct
socket". Originally, we just held the frwd_lock the entire time but in
commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while
calling getpeername()") we switched to refcount based because the network
layer changed and started taking a mutex in that path, so we could no
longer hold the frwd_lock.
Instead of trying to maintain multiple refcounts, this just has us use a
mutex for accessing the socket in the interface code paths.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 Version: bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 Version: bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 Version: bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 Version: bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 Version: 7d29e950766327f658cb92722b9445ac3b3ae023 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c",
"drivers/scsi/iscsi_tcp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "884a788f065578bb640382279a83d1df433b13e6",
"status": "affected",
"version": "bcf3a2953d36bbfb9bd44ccb3db0897d935cc485",
"versionType": "git"
},
{
"lessThan": "a26b0658751bb0a3b28386fca715333b104d32a2",
"status": "affected",
"version": "bcf3a2953d36bbfb9bd44ccb3db0897d935cc485",
"versionType": "git"
},
{
"lessThan": "897dbbc57d71e8a34ec1af8e573a142de457da38",
"status": "affected",
"version": "bcf3a2953d36bbfb9bd44ccb3db0897d935cc485",
"versionType": "git"
},
{
"lessThan": "0a0b861fce2657ba08ec356a74346b37ca4b2008",
"status": "affected",
"version": "bcf3a2953d36bbfb9bd44ccb3db0897d935cc485",
"versionType": "git"
},
{
"lessThan": "57569c37f0add1b6489e1a1563c71519daf732cf",
"status": "affected",
"version": "bcf3a2953d36bbfb9bd44ccb3db0897d935cc485",
"versionType": "git"
},
{
"status": "affected",
"version": "7d29e950766327f658cb92722b9445ac3b3ae023",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c",
"drivers/scsi/iscsi_tcp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()\n\nFix a NULL pointer crash that occurs when we are freeing the socket at the\nsame time we access it via sysfs.\n\nThe problem is that:\n\n 1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take\n the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()\n does a get on the \"struct sock\".\n\n 2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put\n on the \"struct socket\" and that does __sock_release() which sets the\n sock-\u003eops to NULL.\n\n 3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then\n call kernel_getpeername() which accesses the NULL sock-\u003eops.\n\nAbove we do a get on the \"struct sock\", but we needed a get on the \"struct\nsocket\". Originally, we just held the frwd_lock the entire time but in\ncommit bcf3a2953d36 (\"scsi: iscsi: iscsi_tcp: Avoid holding spinlock while\ncalling getpeername()\") we switched to refcount based because the network\nlayer changed and started taking a mutex in that path, so we could no\nlonger hold the frwd_lock.\n\nInstead of trying to maintain multiple refcounts, this just has us use a\nmutex for accessing the socket in the interface code paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:31.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/884a788f065578bb640382279a83d1df433b13e6"
},
{
"url": "https://git.kernel.org/stable/c/a26b0658751bb0a3b28386fca715333b104d32a2"
},
{
"url": "https://git.kernel.org/stable/c/897dbbc57d71e8a34ec1af8e573a142de457da38"
},
{
"url": "https://git.kernel.org/stable/c/0a0b861fce2657ba08ec356a74346b37ca4b2008"
},
{
"url": "https://git.kernel.org/stable/c/57569c37f0add1b6489e1a1563c71519daf732cf"
}
],
"title": "scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50459",
"datePublished": "2025-10-01T11:45:31.740Z",
"dateReserved": "2025-10-01T11:38:45.640Z",
"dateUpdated": "2025-10-01T11:45:31.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53503 (GCVE-0-2023-53503)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: allow ext4_get_group_info() to fail
Previously, ext4_get_group_info() would treat an invalid group number
as BUG(), since in theory it should never happen. However, if a
malicious attaker (or fuzzer) modifies the superblock via the block
device while it is the file system is mounted, it is possible for
s_first_data_block to get set to a very large number. In that case,
when calculating the block group of some block number (such as the
starting block of a preallocation region), could result in an
underflow and very large block group number. Then the BUG_ON check in
ext4_get_group_info() would fire, resutling in a denial of service
attack that can be triggered by root or someone with write access to
the block device.
For a quality of implementation perspective, it's best that even if
the system administrator does something that they shouldn't, that it
will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info()
will call ext4_error and return NULL. We also add fallback code in
all of the callers of ext4_get_group_info() that it might NULL.
Also, since ext4_get_group_info() was already borderline to be an
inline function, un-inline it. The results in a next reduction of the
compiled text size of ext4 by roughly 2k.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/balloc.c",
"fs/ext4/ext4.h",
"fs/ext4/ialloc.c",
"fs/ext4/mballoc.c",
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "100c0ad6c04597fefeaaba2bb1827cc015d95067",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "620a3c28221bb219b81bc0bffd065cc187494302",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b4319e457d6e3fb33e443efeaf4634fc36e8a9ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "31668cebf45adfb6283e465e641c4f5a21b07afa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/balloc.c",
"fs/ext4/ext4.h",
"fs/ext4/ialloc.c",
"fs/ext4/mballoc.c",
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: allow ext4_get_group_info() to fail\n\nPreviously, ext4_get_group_info() would treat an invalid group number\nas BUG(), since in theory it should never happen. However, if a\nmalicious attaker (or fuzzer) modifies the superblock via the block\ndevice while it is the file system is mounted, it is possible for\ns_first_data_block to get set to a very large number. In that case,\nwhen calculating the block group of some block number (such as the\nstarting block of a preallocation region), could result in an\nunderflow and very large block group number. Then the BUG_ON check in\next4_get_group_info() would fire, resutling in a denial of service\nattack that can be triggered by root or someone with write access to\nthe block device.\n\nFor a quality of implementation perspective, it\u0027s best that even if\nthe system administrator does something that they shouldn\u0027t, that it\nwill not trigger a BUG. So instead of BUG\u0027ing, ext4_get_group_info()\nwill call ext4_error and return NULL. We also add fallback code in\nall of the callers of ext4_get_group_info() that it might NULL.\n\nAlso, since ext4_get_group_info() was already borderline to be an\ninline function, un-inline it. The results in a next reduction of the\ncompiled text size of ext4 by roughly 2k."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:54.052Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/100c0ad6c04597fefeaaba2bb1827cc015d95067"
},
{
"url": "https://git.kernel.org/stable/c/620a3c28221bb219b81bc0bffd065cc187494302"
},
{
"url": "https://git.kernel.org/stable/c/b4319e457d6e3fb33e443efeaf4634fc36e8a9ed"
},
{
"url": "https://git.kernel.org/stable/c/31668cebf45adfb6283e465e641c4f5a21b07afa"
},
{
"url": "https://git.kernel.org/stable/c/5354b2af34064a4579be8bc0e2f15a7b70f14b5f"
}
],
"title": "ext4: allow ext4_get_group_info() to fail",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53503",
"datePublished": "2025-10-01T11:45:54.052Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:54.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53494 (GCVE-0-2023-53494)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: xts - Handle EBUSY correctly
As it is xts only handles the special return value of EINPROGRESS,
which means that in all other cases it will free data related to the
request.
However, as the caller of xts may specify MAY_BACKLOG, we also need
to expect EBUSY and treat it in the same way. Otherwise backlogged
requests will trigger a use-after-free.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 8083b1bf8163e7ae7d8c90f221106d96450b8aa8 Version: 8083b1bf8163e7ae7d8c90f221106d96450b8aa8 Version: 8083b1bf8163e7ae7d8c90f221106d96450b8aa8 Version: 8083b1bf8163e7ae7d8c90f221106d96450b8aa8 Version: 8083b1bf8163e7ae7d8c90f221106d96450b8aa8 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/xts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92a07ba4f0af2cccdc2aa5ee32679c9c9714db90",
"status": "affected",
"version": "8083b1bf8163e7ae7d8c90f221106d96450b8aa8",
"versionType": "git"
},
{
"lessThan": "912eb10b65646ffd222256c78a1c566a3dac177d",
"status": "affected",
"version": "8083b1bf8163e7ae7d8c90f221106d96450b8aa8",
"versionType": "git"
},
{
"lessThan": "57c3e1d63b63dc0841d41df729297cd7c1c35808",
"status": "affected",
"version": "8083b1bf8163e7ae7d8c90f221106d96450b8aa8",
"versionType": "git"
},
{
"lessThan": "d5870848879291700fe6c5257dcb48aadd10425c",
"status": "affected",
"version": "8083b1bf8163e7ae7d8c90f221106d96450b8aa8",
"versionType": "git"
},
{
"lessThan": "51c082514c2dedf2711c99d93c196cc4eedceb40",
"status": "affected",
"version": "8083b1bf8163e7ae7d8c90f221106d96450b8aa8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/xts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: xts - Handle EBUSY correctly\n\nAs it is xts only handles the special return value of EINPROGRESS,\nwhich means that in all other cases it will free data related to the\nrequest.\n\nHowever, as the caller of xts may specify MAY_BACKLOG, we also need\nto expect EBUSY and treat it in the same way. Otherwise backlogged\nrequests will trigger a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:45.773Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92a07ba4f0af2cccdc2aa5ee32679c9c9714db90"
},
{
"url": "https://git.kernel.org/stable/c/912eb10b65646ffd222256c78a1c566a3dac177d"
},
{
"url": "https://git.kernel.org/stable/c/57c3e1d63b63dc0841d41df729297cd7c1c35808"
},
{
"url": "https://git.kernel.org/stable/c/d5870848879291700fe6c5257dcb48aadd10425c"
},
{
"url": "https://git.kernel.org/stable/c/51c082514c2dedf2711c99d93c196cc4eedceb40"
}
],
"title": "crypto: xts - Handle EBUSY correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53494",
"datePublished": "2025-10-01T11:45:45.773Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:45.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53469 (GCVE-0-2023-53469)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-10 16:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix null-ptr-deref in unix_stream_sendpage().
Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage()
with detailed analysis and a nice repro.
unix_stream_sendpage() tries to add data to the last skb in the peer's
recv queue without locking the queue.
If the peer's FD is passed to another socket and the socket's FD is
passed to the peer, there is a loop between them. If we close both
sockets without receiving FD, the sockets will be cleaned up by garbage
collection.
The garbage collection iterates such sockets and unlinks skb with
FD from the socket's receive queue under the queue's lock.
So, there is a race where unix_stream_sendpage() could access an skb
locklessly that is being released by garbage collection, resulting in
use-after-free.
To avoid the issue, unix_stream_sendpage() must lock the peer's recv
queue.
Note the issue does not exist in 6.5+ thanks to the recent sendpage()
refactoring.
This patch is originally written by Linus Torvalds.
BUG: unable to handle page fault for address: ffff988004dd6870
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
PREEMPT SMP PTI
CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0
Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44
RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246
RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284
RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0
RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00
R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8
FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x1a/0x1f
? page_fault_oops+0xa9/0x1e0
? fixup_exception+0x1d/0x310
? exc_page_fault+0xa8/0x150
? asm_exc_page_fault+0x22/0x30
? kmem_cache_alloc_node+0xa2/0x1e0
? __alloc_skb+0x16c/0x1e0
__alloc_skb+0x16c/0x1e0
alloc_skb_with_frags+0x48/0x1e0
sock_alloc_send_pskb+0x234/0x270
unix_stream_sendmsg+0x1f5/0x690
sock_sendmsg+0x5d/0x60
____sys_sendmsg+0x210/0x260
___sys_sendmsg+0x83/0xd0
? kmem_cache_alloc+0xc6/0x1c0
? avc_disable+0x20/0x20
? percpu_counter_add_batch+0x53/0xc0
? alloc_empty_file+0x5d/0xb0
? alloc_file+0x91/0x170
? alloc_file_pseudo+0x94/0x100
? __fget_light+0x9f/0x120
__sys_sendmsg+0x54/0xa0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x69/0xd3
RIP: 0033:0x7f174d639a7d
Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48
RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d
RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007
RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff
R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28
R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a3fcfc3b51796e5e6974041c9a7cf7808d16f9e",
"status": "affected",
"version": "869e7c62486ec0e170a9771acaa251d1a33b5871",
"versionType": "git"
},
{
"lessThan": "2dde18cd1d8fac735875f2e4987f11817cc0bc2c",
"status": "affected",
"version": "869e7c62486ec0e170a9771acaa251d1a33b5871",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix null-ptr-deref in unix_stream_sendpage().\n\nBing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage()\nwith detailed analysis and a nice repro.\n\nunix_stream_sendpage() tries to add data to the last skb in the peer\u0027s\nrecv queue without locking the queue.\n\nIf the peer\u0027s FD is passed to another socket and the socket\u0027s FD is\npassed to the peer, there is a loop between them. If we close both\nsockets without receiving FD, the sockets will be cleaned up by garbage\ncollection.\n\nThe garbage collection iterates such sockets and unlinks skb with\nFD from the socket\u0027s receive queue under the queue\u0027s lock.\n\nSo, there is a race where unix_stream_sendpage() could access an skb\nlocklessly that is being released by garbage collection, resulting in\nuse-after-free.\n\nTo avoid the issue, unix_stream_sendpage() must lock the peer\u0027s recv\nqueue.\n\nNote the issue does not exist in 6.5+ thanks to the recent sendpage()\nrefactoring.\n\nThis patch is originally written by Linus Torvalds.\n\nBUG: unable to handle page fault for address: ffff988004dd6870\nPF: supervisor read access in kernel mode\nPF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP PTI\nCPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0\nCode: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 \u003c49\u003e 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44\nRSP: 0018:ffffc9000079fac0 EFLAGS: 00000246\nRAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284\nRDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0\nRBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00\nR13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8\nFS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? __die_body.cold+0x1a/0x1f\n ? page_fault_oops+0xa9/0x1e0\n ? fixup_exception+0x1d/0x310\n ? exc_page_fault+0xa8/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? kmem_cache_alloc_node+0xa2/0x1e0\n ? __alloc_skb+0x16c/0x1e0\n __alloc_skb+0x16c/0x1e0\n alloc_skb_with_frags+0x48/0x1e0\n sock_alloc_send_pskb+0x234/0x270\n unix_stream_sendmsg+0x1f5/0x690\n sock_sendmsg+0x5d/0x60\n ____sys_sendmsg+0x210/0x260\n ___sys_sendmsg+0x83/0xd0\n ? kmem_cache_alloc+0xc6/0x1c0\n ? avc_disable+0x20/0x20\n ? percpu_counter_add_batch+0x53/0xc0\n ? alloc_empty_file+0x5d/0xb0\n ? alloc_file+0x91/0x170\n ? alloc_file_pseudo+0x94/0x100\n ? __fget_light+0x9f/0x120\n __sys_sendmsg+0x54/0xa0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x69/0xd3\nRIP: 0033:0x7f174d639a7d\nCode: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48\nRSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d\nRDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007\nRBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff\nR10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28\nR13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T16:08:37.029Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a3fcfc3b51796e5e6974041c9a7cf7808d16f9e"
},
{
"url": "https://git.kernel.org/stable/c/2dde18cd1d8fac735875f2e4987f11817cc0bc2c"
}
],
"title": "af_unix: Fix null-ptr-deref in unix_stream_sendpage().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53469",
"datePublished": "2025-10-01T11:42:39.467Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-10T16:08:37.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50450 (GCVE-0-2022-50450)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-09T05:57:03.009Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50450",
"datePublished": "2025-10-01T11:45:23.963Z",
"dateRejected": "2025-10-09T05:57:03.009Z",
"dateReserved": "2025-09-17T14:53:07.011Z",
"dateUpdated": "2025-10-09T05:57:03.009Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53457 (GCVE-0-2023-53457)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
FS: JFS: Fix null-ptr-deref Read in txBegin
Syzkaller reported an issue where txBegin may be called
on a superblock in a read-only mounted filesystem which leads
to NULL pointer deref. This could be solved by checking if
the filesystem is read-only before calling txBegin, and returning
with appropiate error code.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7225e9e09519deb7e0c42eb6070029cc456e84d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b4c144767736221cad92c132f72b3c6ed06a0ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a7d17d6bd7cd4f6940b335ea7a6fce5b6d22adc2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a3f20efe6c901d4c0871cfd1d8c65e2ade71fc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e94d0d378d2754b26fc54b429582553f7b53e15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e5eb6c5ecd8ddb9cfea751cf30f9e23eac97ca3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd2db13fb72ff18c633a48229589d42ceb89d1f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47cfdc338d674d38f4b2f22b7612cc6a2763ba27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS: JFS: Fix null-ptr-deref Read in txBegin\n\n Syzkaller reported an issue where txBegin may be called\n on a superblock in a read-only mounted filesystem which leads\n to NULL pointer deref. This could be solved by checking if\n the filesystem is read-only before calling txBegin, and returning\n with appropiate error code."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:28.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7225e9e09519deb7e0c42eb6070029cc456e84d"
},
{
"url": "https://git.kernel.org/stable/c/1b4c144767736221cad92c132f72b3c6ed06a0ea"
},
{
"url": "https://git.kernel.org/stable/c/a7d17d6bd7cd4f6940b335ea7a6fce5b6d22adc2"
},
{
"url": "https://git.kernel.org/stable/c/2a3f20efe6c901d4c0871cfd1d8c65e2ade71fc1"
},
{
"url": "https://git.kernel.org/stable/c/3e94d0d378d2754b26fc54b429582553f7b53e15"
},
{
"url": "https://git.kernel.org/stable/c/3e5eb6c5ecd8ddb9cfea751cf30f9e23eac97ca3"
},
{
"url": "https://git.kernel.org/stable/c/fd2db13fb72ff18c633a48229589d42ceb89d1f8"
},
{
"url": "https://git.kernel.org/stable/c/47cfdc338d674d38f4b2f22b7612cc6a2763ba27"
}
],
"title": "FS: JFS: Fix null-ptr-deref Read in txBegin",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53457",
"datePublished": "2025-10-01T11:42:28.730Z",
"dateReserved": "2025-09-17T14:54:09.755Z",
"dateUpdated": "2025-10-01T11:42:28.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53471 (GCVE-0-2023-53471)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras
gfx9 cp_ecc_error_irq is only enabled when legacy gfx ras is assert.
So in gfx_v9_0_hw_fini, interrupt disablement for cp_ecc_error_irq
should be executed under such condition, otherwise, an amdgpu_irq_put
calltrace will occur.
[ 7283.170322] RIP: 0010:amdgpu_irq_put+0x45/0x70 [amdgpu]
[ 7283.170964] RSP: 0018:ffff9a5fc3967d00 EFLAGS: 00010246
[ 7283.170967] RAX: ffff98d88afd3040 RBX: ffff98d89da20000 RCX: 0000000000000000
[ 7283.170969] RDX: 0000000000000000 RSI: ffff98d89da2bef8 RDI: ffff98d89da20000
[ 7283.170971] RBP: ffff98d89da20000 R08: ffff98d89da2ca18 R09: 0000000000000006
[ 7283.170973] R10: ffffd5764243c008 R11: 0000000000000000 R12: 0000000000001050
[ 7283.170975] R13: ffff98d89da38978 R14: ffffffff999ae15a R15: ffff98d880130105
[ 7283.170978] FS: 0000000000000000(0000) GS:ffff98d996f00000(0000) knlGS:0000000000000000
[ 7283.170981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7283.170983] CR2: 00000000f7a9d178 CR3: 00000001c42ea000 CR4: 00000000003506e0
[ 7283.170986] Call Trace:
[ 7283.170988] <TASK>
[ 7283.170989] gfx_v9_0_hw_fini+0x1c/0x6d0 [amdgpu]
[ 7283.171655] amdgpu_device_ip_suspend_phase2+0x101/0x1a0 [amdgpu]
[ 7283.172245] amdgpu_device_suspend+0x103/0x180 [amdgpu]
[ 7283.172823] amdgpu_pmops_freeze+0x21/0x60 [amdgpu]
[ 7283.173412] pci_pm_freeze+0x54/0xc0
[ 7283.173419] ? __pfx_pci_pm_freeze+0x10/0x10
[ 7283.173425] dpm_run_callback+0x98/0x200
[ 7283.173430] __device_suspend+0x164/0x5f0
v2: drop gfx11 as it's fixed in a different solution by retiring cp_ecc_irq funcs(Hawking)
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "625d4112ea25dbad7ddf749fd5c1287ceffb2339",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "20ca90ceda71ed90a4d6960acbe7d5e120b40c0d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd3c0f7013c37cd24fc40b601319007f136c1201",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f661ad53658a1ea35c004af1f5fbe25c4d1cdb08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3d28af21a874c5123d1681c2d686627f7ff7e488",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efce310db74fdc6d2acd959f3582972ae4a8d7d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4a76680311330aefe5074bed8f06afa354b85c48",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras\n\ngfx9 cp_ecc_error_irq is only enabled when legacy gfx ras is assert.\nSo in gfx_v9_0_hw_fini, interrupt disablement for cp_ecc_error_irq\nshould be executed under such condition, otherwise, an amdgpu_irq_put\ncalltrace will occur.\n\n[ 7283.170322] RIP: 0010:amdgpu_irq_put+0x45/0x70 [amdgpu]\n[ 7283.170964] RSP: 0018:ffff9a5fc3967d00 EFLAGS: 00010246\n[ 7283.170967] RAX: ffff98d88afd3040 RBX: ffff98d89da20000 RCX: 0000000000000000\n[ 7283.170969] RDX: 0000000000000000 RSI: ffff98d89da2bef8 RDI: ffff98d89da20000\n[ 7283.170971] RBP: ffff98d89da20000 R08: ffff98d89da2ca18 R09: 0000000000000006\n[ 7283.170973] R10: ffffd5764243c008 R11: 0000000000000000 R12: 0000000000001050\n[ 7283.170975] R13: ffff98d89da38978 R14: ffffffff999ae15a R15: ffff98d880130105\n[ 7283.170978] FS: 0000000000000000(0000) GS:ffff98d996f00000(0000) knlGS:0000000000000000\n[ 7283.170981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7283.170983] CR2: 00000000f7a9d178 CR3: 00000001c42ea000 CR4: 00000000003506e0\n[ 7283.170986] Call Trace:\n[ 7283.170988] \u003cTASK\u003e\n[ 7283.170989] gfx_v9_0_hw_fini+0x1c/0x6d0 [amdgpu]\n[ 7283.171655] amdgpu_device_ip_suspend_phase2+0x101/0x1a0 [amdgpu]\n[ 7283.172245] amdgpu_device_suspend+0x103/0x180 [amdgpu]\n[ 7283.172823] amdgpu_pmops_freeze+0x21/0x60 [amdgpu]\n[ 7283.173412] pci_pm_freeze+0x54/0xc0\n[ 7283.173419] ? __pfx_pci_pm_freeze+0x10/0x10\n[ 7283.173425] dpm_run_callback+0x98/0x200\n[ 7283.173430] __device_suspend+0x164/0x5f0\n\nv2: drop gfx11 as it\u0027s fixed in a different solution by retiring cp_ecc_irq funcs(Hawking)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:41.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/625d4112ea25dbad7ddf749fd5c1287ceffb2339"
},
{
"url": "https://git.kernel.org/stable/c/20ca90ceda71ed90a4d6960acbe7d5e120b40c0d"
},
{
"url": "https://git.kernel.org/stable/c/cd3c0f7013c37cd24fc40b601319007f136c1201"
},
{
"url": "https://git.kernel.org/stable/c/f661ad53658a1ea35c004af1f5fbe25c4d1cdb08"
},
{
"url": "https://git.kernel.org/stable/c/3d28af21a874c5123d1681c2d686627f7ff7e488"
},
{
"url": "https://git.kernel.org/stable/c/efce310db74fdc6d2acd959f3582972ae4a8d7d5"
},
{
"url": "https://git.kernel.org/stable/c/4a76680311330aefe5074bed8f06afa354b85c48"
}
],
"title": "drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53471",
"datePublished": "2025-10-01T11:42:41.046Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:41.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53483 (GCVE-0-2023-53483)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()
devm_kzalloc() may fail, clk_data->name might be NULL and will
cause a NULL pointer dereference later.
[ rjw: Subject and changelog edits ]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_apd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79ca94bc3e8cc3befa883c7d30b30a27ef0ea386",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a632ff6a2bea49993002b4c46092a2aea625840",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4dea41775d951ff1f7b472a346a8ca3ae7e74455",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_apd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()\n\ndevm_kzalloc() may fail, clk_data-\u003ename might be NULL and will\ncause a NULL pointer dereference later.\n\n[ rjw: Subject and changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:51.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79ca94bc3e8cc3befa883c7d30b30a27ef0ea386"
},
{
"url": "https://git.kernel.org/stable/c/8a632ff6a2bea49993002b4c46092a2aea625840"
},
{
"url": "https://git.kernel.org/stable/c/4dea41775d951ff1f7b472a346a8ca3ae7e74455"
}
],
"title": "ACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53483",
"datePublished": "2025-10-01T11:42:51.778Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:51.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53510 (GCVE-0-2023-53510)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix handling of lrbp->cmd
ufshcd_queuecommand() may be called two times in a row for a SCSI command
before it is completed. Hence make the following changes:
- In the functions that submit a command, do not check the old value of
lrbp->cmd nor clear lrbp->cmd in error paths.
- In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd.
See also scsi_send_eh_cmnd().
This commit prevents that the following appears if a command times out:
WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8
Call trace:
ufshcd_queuecommand+0x6f8/0x9a8
scsi_send_eh_cmnd+0x2c0/0x960
scsi_eh_test_devices+0x100/0x314
scsi_eh_ready_devs+0xd90/0x114c
scsi_error_handler+0x2b4/0xb70
kthread+0x16c/0x1e0
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3ee24af62681b942bbd799ac77b90a6d7e1fdb1",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
},
{
"lessThan": "49234a401e161a2f2698f4612ab792c49b3cad1b",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
},
{
"lessThan": "549e91a9bbaa0ee480f59357868421a61d369770",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix handling of lrbp-\u003ecmd\n\nufshcd_queuecommand() may be called two times in a row for a SCSI command\nbefore it is completed. Hence make the following changes:\n\n - In the functions that submit a command, do not check the old value of\n lrbp-\u003ecmd nor clear lrbp-\u003ecmd in error paths.\n\n - In ufshcd_release_scsi_cmd(), do not clear lrbp-\u003ecmd.\n\nSee also scsi_send_eh_cmnd().\n\nThis commit prevents that the following appears if a command times out:\n\nWARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8\nCall trace:\n ufshcd_queuecommand+0x6f8/0x9a8\n scsi_send_eh_cmnd+0x2c0/0x960\n scsi_eh_test_devices+0x100/0x314\n scsi_eh_ready_devs+0xd90/0x114c\n scsi_error_handler+0x2b4/0xb70\n kthread+0x16c/0x1e0"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:59.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3ee24af62681b942bbd799ac77b90a6d7e1fdb1"
},
{
"url": "https://git.kernel.org/stable/c/49234a401e161a2f2698f4612ab792c49b3cad1b"
},
{
"url": "https://git.kernel.org/stable/c/549e91a9bbaa0ee480f59357868421a61d369770"
}
],
"title": "scsi: ufs: core: Fix handling of lrbp-\u003ecmd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53510",
"datePublished": "2025-10-01T11:45:59.421Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2025-10-01T11:45:59.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53523 (GCVE-0-2023-53523)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: fix time stamp counter initialization
If the gs_usb device driver is unloaded (or unbound) before the
interface is shut down, the USB stack first calls the struct
usb_driver::disconnect and then the struct net_device_ops::ndo_stop
callback.
In gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more
RX'ed CAN frames are send from the USB device to the host. Later in
gs_can_close() a reset control message is send to each CAN channel to
remove the controller from the CAN bus. In this race window the USB
device can still receive CAN frames from the bus and internally queue
them to be send to the host.
At least in the current version of the candlelight firmware, the queue
of received CAN frames is not emptied during the reset command. After
loading (or binding) the gs_usb driver, new URBs are submitted during
the struct net_device_ops::ndo_open callback and the candlelight
firmware starts sending its already queued CAN frames to the host.
However, this scenario was not considered when implementing the
hardware timestamp function. The cycle counter/time counter
infrastructure is set up (gs_usb_timestamp_init()) after the USBs are
submitted, resulting in a NULL pointer dereference if
timecounter_cyc2time() (via the call chain:
gs_usb_receive_bulk_callback() -> gs_usb_set_timestamp() ->
gs_usb_skb_set_timestamp()) is called too early.
Move the gs_usb_timestamp_init() function before the URBs are
submitted to fix this problem.
For a comprehensive solution, we need to consider gs_usb devices with
more than 1 channel. The cycle counter/time counter infrastructure is
setup per channel, but the RX URBs are per device. Once gs_can_open()
of _a_ channel has been called, and URBs have been submitted, the
gs_usb_receive_bulk_callback() can be called for _all_ available
channels, even for channels that are not running, yet. As cycle
counter/time counter has not set up, this will again lead to a NULL
pointer dereference.
Convert the cycle counter/time counter from a "per channel" to a "per
device" functionality. Also set it up, before submitting any URBs to
the device.
Further in gs_usb_receive_bulk_callback(), don't process any URBs for
not started CAN channels, only resubmit the URB.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "210a8cffc9c1b044281c0a868485c870c9c11374",
"status": "affected",
"version": "45dfa45f52e66f8eee30a64b16550a9c47915044",
"versionType": "git"
},
{
"lessThan": "5886e4d5ecec3e22844efed90b2dd383ef804b3a",
"status": "affected",
"version": "45dfa45f52e66f8eee30a64b16550a9c47915044",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: fix time stamp counter initialization\n\nIf the gs_usb device driver is unloaded (or unbound) before the\ninterface is shut down, the USB stack first calls the struct\nusb_driver::disconnect and then the struct net_device_ops::ndo_stop\ncallback.\n\nIn gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more\nRX\u0027ed CAN frames are send from the USB device to the host. Later in\ngs_can_close() a reset control message is send to each CAN channel to\nremove the controller from the CAN bus. In this race window the USB\ndevice can still receive CAN frames from the bus and internally queue\nthem to be send to the host.\n\nAt least in the current version of the candlelight firmware, the queue\nof received CAN frames is not emptied during the reset command. After\nloading (or binding) the gs_usb driver, new URBs are submitted during\nthe struct net_device_ops::ndo_open callback and the candlelight\nfirmware starts sending its already queued CAN frames to the host.\n\nHowever, this scenario was not considered when implementing the\nhardware timestamp function. The cycle counter/time counter\ninfrastructure is set up (gs_usb_timestamp_init()) after the USBs are\nsubmitted, resulting in a NULL pointer dereference if\ntimecounter_cyc2time() (via the call chain:\ngs_usb_receive_bulk_callback() -\u003e gs_usb_set_timestamp() -\u003e\ngs_usb_skb_set_timestamp()) is called too early.\n\nMove the gs_usb_timestamp_init() function before the URBs are\nsubmitted to fix this problem.\n\nFor a comprehensive solution, we need to consider gs_usb devices with\nmore than 1 channel. The cycle counter/time counter infrastructure is\nsetup per channel, but the RX URBs are per device. Once gs_can_open()\nof _a_ channel has been called, and URBs have been submitted, the\ngs_usb_receive_bulk_callback() can be called for _all_ available\nchannels, even for channels that are not running, yet. As cycle\ncounter/time counter has not set up, this will again lead to a NULL\npointer dereference.\n\nConvert the cycle counter/time counter from a \"per channel\" to a \"per\ndevice\" functionality. Also set it up, before submitting any URBs to\nthe device.\n\nFurther in gs_usb_receive_bulk_callback(), don\u0027t process any URBs for\nnot started CAN channels, only resubmit the URB."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:09.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/210a8cffc9c1b044281c0a868485c870c9c11374"
},
{
"url": "https://git.kernel.org/stable/c/5886e4d5ecec3e22844efed90b2dd383ef804b3a"
}
],
"title": "can: gs_usb: fix time stamp counter initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53523",
"datePublished": "2025-10-01T11:46:09.632Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:09.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53515 (GCVE-0-2023-53515)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio-mmio: don't break lifecycle of vm_dev
vm_dev has a separate lifecycle because it has a 'struct device'
embedded. Thus, having a release callback for it is correct.
Allocating the vm_dev struct with devres totally breaks this protection,
though. Instead of waiting for the vm_dev release callback, the memory
is freed when the platform_device is removed. Resulting in a
use-after-free when finally the callback is to be called.
To easily see the problem, compile the kernel with
CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.
The fix is easy, don't use devres in this case.
Found during my research about object lifetime problems.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_mmio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "97a2d55ead76358245b446efd87818e919196d7a",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "b788ad3b2468512339c05f23692e36860264e674",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "3ff54d904fafabd0912796785e53cce4e69ca123",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "5b7d5c2dd664eb8b9a06ecbc06e28d39359c422e",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "af5818c35173e096085c6ae2e3aac605d3d15e41",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "2dcb368fe5a8eee498ca75c93a18ce2f3b0d6a8e",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_mmio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-mmio: don\u0027t break lifecycle of vm_dev\n\nvm_dev has a separate lifecycle because it has a \u0027struct device\u0027\nembedded. Thus, having a release callback for it is correct.\n\nAllocating the vm_dev struct with devres totally breaks this protection,\nthough. Instead of waiting for the vm_dev release callback, the memory\nis freed when the platform_device is removed. Resulting in a\nuse-after-free when finally the callback is to be called.\n\nTo easily see the problem, compile the kernel with\nCONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.\n\nThe fix is easy, don\u0027t use devres in this case.\n\nFound during my research about object lifetime problems."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:03.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/97a2d55ead76358245b446efd87818e919196d7a"
},
{
"url": "https://git.kernel.org/stable/c/b788ad3b2468512339c05f23692e36860264e674"
},
{
"url": "https://git.kernel.org/stable/c/3ff54d904fafabd0912796785e53cce4e69ca123"
},
{
"url": "https://git.kernel.org/stable/c/5b7d5c2dd664eb8b9a06ecbc06e28d39359c422e"
},
{
"url": "https://git.kernel.org/stable/c/af5818c35173e096085c6ae2e3aac605d3d15e41"
},
{
"url": "https://git.kernel.org/stable/c/2dcb368fe5a8eee498ca75c93a18ce2f3b0d6a8e"
},
{
"url": "https://git.kernel.org/stable/c/55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a"
}
],
"title": "virtio-mmio: don\u0027t break lifecycle of vm_dev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53515",
"datePublished": "2025-10-01T11:46:03.192Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:03.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50444 (GCVE-0-2022-50444)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: tegra20: Fix refcount leak in tegra20_clock_init
of_find_matching_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 Version: 37c26a906527b8a6a252614ca83d21ad318c4e84 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra20.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9bdef9bb60814514a787b84184ecaa269a7c951",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
},
{
"lessThan": "6f76ef65899fcd93ca747ef38d7a41931e61e4fa",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
},
{
"lessThan": "0172d14f50098f5736b4b272a1529a3e05419bd6",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
},
{
"lessThan": "5d9fb09612defe7b1d5627db7b3833b46eb21e7b",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
},
{
"lessThan": "70f0a0a27d79f689defc5f5f0bd47d07813e6dea",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
},
{
"lessThan": "d6e750535b46e12cdde185b416c415e49e4e6e22",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
},
{
"lessThan": "8cd228892759d37f36a46616025f4fa0d0a63b5d",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
},
{
"lessThan": "53531d00e2a8a28a3bf56ea58b18ff3611824f37",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
},
{
"lessThan": "4e343bafe03ff68a62f48f8235cf98f2c685468b",
"status": "affected",
"version": "37c26a906527b8a6a252614ca83d21ad318c4e84",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra20.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra20: Fix refcount leak in tegra20_clock_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:19.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9bdef9bb60814514a787b84184ecaa269a7c951"
},
{
"url": "https://git.kernel.org/stable/c/6f76ef65899fcd93ca747ef38d7a41931e61e4fa"
},
{
"url": "https://git.kernel.org/stable/c/0172d14f50098f5736b4b272a1529a3e05419bd6"
},
{
"url": "https://git.kernel.org/stable/c/5d9fb09612defe7b1d5627db7b3833b46eb21e7b"
},
{
"url": "https://git.kernel.org/stable/c/70f0a0a27d79f689defc5f5f0bd47d07813e6dea"
},
{
"url": "https://git.kernel.org/stable/c/d6e750535b46e12cdde185b416c415e49e4e6e22"
},
{
"url": "https://git.kernel.org/stable/c/8cd228892759d37f36a46616025f4fa0d0a63b5d"
},
{
"url": "https://git.kernel.org/stable/c/53531d00e2a8a28a3bf56ea58b18ff3611824f37"
},
{
"url": "https://git.kernel.org/stable/c/4e343bafe03ff68a62f48f8235cf98f2c685468b"
}
],
"title": "clk: tegra20: Fix refcount leak in tegra20_clock_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50444",
"datePublished": "2025-10-01T11:42:19.730Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:19.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50455 (GCVE-0-2022-50455)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-10T15:31:02.037Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50455",
"datePublished": "2025-10-01T11:45:28.159Z",
"dateRejected": "2025-10-10T15:31:02.037Z",
"dateReserved": "2025-10-01T11:38:45.640Z",
"dateUpdated": "2025-10-10T15:31:02.037Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53490 (GCVE-0-2023-53490)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix disconnect vs accept race
Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in
recvmsg()"), the mptcp protocol is still prone to a race between
disconnect() (or shutdown) and accept.
The root cause is that the mentioned commit checks the msk-level
flag, but mptcp_stream_accept() does acquire the msk-level lock,
as it can rely directly on the first subflow lock.
As reported by Christoph than can lead to a race where an msk
socket is accepted after that mptcp_subflow_queue_clean() releases
the listener socket lock and just before it takes destructive
actions leading to the following splat:
BUG: kernel NULL pointer dereference, address: 0000000000000012
PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330
Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 <0f> b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89
RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300
RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a
RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020
R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880
FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_accept+0x1ae/0x260 net/socket.c:1872
__sys_accept4+0x9b/0x110 net/socket.c:1913
__do_sys_accept4 net/socket.c:1954 [inline]
__se_sys_accept4 net/socket.c:1951 [inline]
__x64_sys_accept4+0x20/0x30 net/socket.c:1951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Address the issue by temporary removing the pending request socket
from the accept queue, so that racing accept() can't touch them.
After depleting the msk - the ssk still exists, as plain TCP sockets,
re-insert them into the accept queue, so that later inet_csk_listen_stop()
will complete the tcp socket disposal.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ded9f5551ce5cafa3c41c794428c27a0d0a00542",
"status": "affected",
"version": "b45d8f5375eda3ddc89fe529b58bb643917bd87b",
"versionType": "git"
},
{
"lessThan": "b2b4c84eb7149f34c0f25f17042d095ba5357d68",
"status": "affected",
"version": "2a6a870e44dd88f1a6a2893c65ef756a9edfb4c7",
"versionType": "git"
},
{
"lessThan": "511b90e39250135a7f900f1c3afbce25543018a2",
"status": "affected",
"version": "2a6a870e44dd88f1a6a2893c65ef756a9edfb4c7",
"versionType": "git"
},
{
"status": "affected",
"version": "64b66601308dae6105fbde964a339462a29c2a73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "6.1.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix disconnect vs accept race\n\nDespite commit 0ad529d9fd2b (\"mptcp: fix possible divide by zero in\nrecvmsg()\"), the mptcp protocol is still prone to a race between\ndisconnect() (or shutdown) and accept.\n\nThe root cause is that the mentioned commit checks the msk-level\nflag, but mptcp_stream_accept() does acquire the msk-level lock,\nas it can rely directly on the first subflow lock.\n\nAs reported by Christoph than can lead to a race where an msk\nsocket is accepted after that mptcp_subflow_queue_clean() releases\nthe listener socket lock and just before it takes destructive\nactions leading to the following splat:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000012\nPGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330\nCode: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 \u003c0f\u003e b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89\nRSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300\nRDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a\nRBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020\nR13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880\nFS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n do_accept+0x1ae/0x260 net/socket.c:1872\n __sys_accept4+0x9b/0x110 net/socket.c:1913\n __do_sys_accept4 net/socket.c:1954 [inline]\n __se_sys_accept4 net/socket.c:1951 [inline]\n __x64_sys_accept4+0x20/0x30 net/socket.c:1951\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nAddress the issue by temporary removing the pending request socket\nfrom the accept queue, so that racing accept() can\u0027t touch them.\n\nAfter depleting the msk - the ssk still exists, as plain TCP sockets,\nre-insert them into the accept queue, so that later inet_csk_listen_stop()\nwill complete the tcp socket disposal."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:42.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ded9f5551ce5cafa3c41c794428c27a0d0a00542"
},
{
"url": "https://git.kernel.org/stable/c/b2b4c84eb7149f34c0f25f17042d095ba5357d68"
},
{
"url": "https://git.kernel.org/stable/c/511b90e39250135a7f900f1c3afbce25543018a2"
}
],
"title": "mptcp: fix disconnect vs accept race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53490",
"datePublished": "2025-10-01T11:45:42.182Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:42.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53509 (GCVE-0-2023-53509)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
qed: allow sleep in qed_mcp_trace_dump()
By default, qed_mcp_cmd_and_union() delays 10us at a time in a loop
that can run 500K times, so calls to qed_mcp_nvm_rd_cmd()
may block the current thread for over 5s.
We observed thread scheduling delays over 700ms in production,
with stacktraces pointing to this code as the culprit.
qed_mcp_trace_dump() is called from ethtool, so sleeping is permitted.
It already can sleep in qed_mcp_halt(), which calls qed_mcp_cmd().
Add a "can sleep" parameter to qed_find_nvram_image() and
qed_nvram_read() so they can sleep during qed_mcp_trace_dump().
qed_mcp_trace_get_meta_info() and qed_mcp_trace_read_meta(),
called only by qed_mcp_trace_dump(), allow these functions to sleep.
I can't tell if the other caller (qed_grc_dump_mcp_hw_dump()) can sleep,
so keep b_can_sleep set to false when it calls these functions.
An example stacktrace from a custom warning we added to the kernel
showing a thread that has not scheduled despite long needing resched:
[ 2745.362925,17] ------------[ cut here ]------------
[ 2745.362941,17] WARNING: CPU: 23 PID: 5640 at arch/x86/kernel/irq.c:233 do_IRQ+0x15e/0x1a0()
[ 2745.362946,17] Thread not rescheduled for 744 ms after irq 99
[ 2745.362956,17] Modules linked in: ...
[ 2745.363339,17] CPU: 23 PID: 5640 Comm: lldpd Tainted: P O 4.4.182+ #202104120910+6d1da174272d.61x
[ 2745.363343,17] Hardware name: FOXCONN MercuryB/Quicksilver Controller, BIOS H11P1N09 07/08/2020
[ 2745.363346,17] 0000000000000000 ffff885ec07c3ed8 ffffffff8131eb2f ffff885ec07c3f20
[ 2745.363358,17] ffffffff81d14f64 ffff885ec07c3f10 ffffffff81072ac2 ffff88be98ed0000
[ 2745.363369,17] 0000000000000063 0000000000000174 0000000000000074 0000000000000000
[ 2745.363379,17] Call Trace:
[ 2745.363382,17] <IRQ> [<ffffffff8131eb2f>] dump_stack+0x8e/0xcf
[ 2745.363393,17] [<ffffffff81072ac2>] warn_slowpath_common+0x82/0xc0
[ 2745.363398,17] [<ffffffff81072b4c>] warn_slowpath_fmt+0x4c/0x50
[ 2745.363404,17] [<ffffffff810d5a8e>] ? rcu_irq_exit+0xae/0xc0
[ 2745.363408,17] [<ffffffff817c99fe>] do_IRQ+0x15e/0x1a0
[ 2745.363413,17] [<ffffffff817c7ac9>] common_interrupt+0x89/0x89
[ 2745.363416,17] <EOI> [<ffffffff8132aa74>] ? delay_tsc+0x24/0x50
[ 2745.363425,17] [<ffffffff8132aa04>] __udelay+0x34/0x40
[ 2745.363457,17] [<ffffffffa04d45ff>] qed_mcp_cmd_and_union+0x36f/0x7d0 [qed]
[ 2745.363473,17] [<ffffffffa04d5ced>] qed_mcp_nvm_rd_cmd+0x4d/0x90 [qed]
[ 2745.363490,17] [<ffffffffa04e1dc7>] qed_mcp_trace_dump+0x4a7/0x630 [qed]
[ 2745.363504,17] [<ffffffffa04e2556>] ? qed_fw_asserts_dump+0x1d6/0x1f0 [qed]
[ 2745.363520,17] [<ffffffffa04e4ea7>] qed_dbg_mcp_trace_get_dump_buf_size+0x37/0x80 [qed]
[ 2745.363536,17] [<ffffffffa04ea881>] qed_dbg_feature_size+0x61/0xa0 [qed]
[ 2745.363551,17] [<ffffffffa04eb427>] qed_dbg_all_data_size+0x247/0x260 [qed]
[ 2745.363560,17] [<ffffffffa0482c10>] qede_get_regs_len+0x30/0x40 [qede]
[ 2745.363566,17] [<ffffffff816c9783>] ethtool_get_drvinfo+0xe3/0x190
[ 2745.363570,17] [<ffffffff816cc152>] dev_ethtool+0x1362/0x2140
[ 2745.363575,17] [<ffffffff8109bcc6>] ? finish_task_switch+0x76/0x260
[ 2745.363580,17] [<ffffffff817c2116>] ? __schedule+0x3c6/0x9d0
[ 2745.363585,17] [<ffffffff810dbd50>] ? hrtimer_start_range_ns+0x1d0/0x370
[ 2745.363589,17] [<ffffffff816c1e5b>] ? dev_get_by_name_rcu+0x6b/0x90
[ 2745.363594,17] [<ffffffff816de6a8>] dev_ioctl+0xe8/0x710
[ 2745.363599,17] [<ffffffff816a58a8>] sock_do_ioctl+0x48/0x60
[ 2745.363603,17] [<ffffffff816a5d87>] sock_ioctl+0x1c7/0x280
[ 2745.363608,17] [<ffffffff8111f393>] ? seccomp_phase1+0x83/0x220
[ 2745.363612,17] [<ffffffff811e3503>] do_vfs_ioctl+0x2b3/0x4e0
[ 2745.363616,17] [<ffffffff811e3771>] SyS_ioctl+0x41/0x70
[ 2745.363619,17] [<ffffffff817c6ffe>] entry_SYSCALL_64_fastpath+0x1e/0x79
[ 2745.363622,17] ---[ end trace f6954aa440266421 ]---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qed/qed_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e0387f4f39a8d92302273ac356d1f6b2a38160d8",
"status": "affected",
"version": "c965db44462919f613973aa618271f6c3f5a1e64",
"versionType": "git"
},
{
"lessThan": "50c81b35df01db12b348c5cbf4b1917dc9a7db54",
"status": "affected",
"version": "c965db44462919f613973aa618271f6c3f5a1e64",
"versionType": "git"
},
{
"lessThan": "5401c3e0992860b11fb4b25796e4c4f1921740df",
"status": "affected",
"version": "c965db44462919f613973aa618271f6c3f5a1e64",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qed/qed_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nqed: allow sleep in qed_mcp_trace_dump()\n\nBy default, qed_mcp_cmd_and_union() delays 10us at a time in a loop\nthat can run 500K times, so calls to qed_mcp_nvm_rd_cmd()\nmay block the current thread for over 5s.\nWe observed thread scheduling delays over 700ms in production,\nwith stacktraces pointing to this code as the culprit.\n\nqed_mcp_trace_dump() is called from ethtool, so sleeping is permitted.\nIt already can sleep in qed_mcp_halt(), which calls qed_mcp_cmd().\nAdd a \"can sleep\" parameter to qed_find_nvram_image() and\nqed_nvram_read() so they can sleep during qed_mcp_trace_dump().\nqed_mcp_trace_get_meta_info() and qed_mcp_trace_read_meta(),\ncalled only by qed_mcp_trace_dump(), allow these functions to sleep.\nI can\u0027t tell if the other caller (qed_grc_dump_mcp_hw_dump()) can sleep,\nso keep b_can_sleep set to false when it calls these functions.\n\nAn example stacktrace from a custom warning we added to the kernel\nshowing a thread that has not scheduled despite long needing resched:\n[ 2745.362925,17] ------------[ cut here ]------------\n[ 2745.362941,17] WARNING: CPU: 23 PID: 5640 at arch/x86/kernel/irq.c:233 do_IRQ+0x15e/0x1a0()\n[ 2745.362946,17] Thread not rescheduled for 744 ms after irq 99\n[ 2745.362956,17] Modules linked in: ...\n[ 2745.363339,17] CPU: 23 PID: 5640 Comm: lldpd Tainted: P O 4.4.182+ #202104120910+6d1da174272d.61x\n[ 2745.363343,17] Hardware name: FOXCONN MercuryB/Quicksilver Controller, BIOS H11P1N09 07/08/2020\n[ 2745.363346,17] 0000000000000000 ffff885ec07c3ed8 ffffffff8131eb2f ffff885ec07c3f20\n[ 2745.363358,17] ffffffff81d14f64 ffff885ec07c3f10 ffffffff81072ac2 ffff88be98ed0000\n[ 2745.363369,17] 0000000000000063 0000000000000174 0000000000000074 0000000000000000\n[ 2745.363379,17] Call Trace:\n[ 2745.363382,17] \u003cIRQ\u003e [\u003cffffffff8131eb2f\u003e] dump_stack+0x8e/0xcf\n[ 2745.363393,17] [\u003cffffffff81072ac2\u003e] warn_slowpath_common+0x82/0xc0\n[ 2745.363398,17] [\u003cffffffff81072b4c\u003e] warn_slowpath_fmt+0x4c/0x50\n[ 2745.363404,17] [\u003cffffffff810d5a8e\u003e] ? rcu_irq_exit+0xae/0xc0\n[ 2745.363408,17] [\u003cffffffff817c99fe\u003e] do_IRQ+0x15e/0x1a0\n[ 2745.363413,17] [\u003cffffffff817c7ac9\u003e] common_interrupt+0x89/0x89\n[ 2745.363416,17] \u003cEOI\u003e [\u003cffffffff8132aa74\u003e] ? delay_tsc+0x24/0x50\n[ 2745.363425,17] [\u003cffffffff8132aa04\u003e] __udelay+0x34/0x40\n[ 2745.363457,17] [\u003cffffffffa04d45ff\u003e] qed_mcp_cmd_and_union+0x36f/0x7d0 [qed]\n[ 2745.363473,17] [\u003cffffffffa04d5ced\u003e] qed_mcp_nvm_rd_cmd+0x4d/0x90 [qed]\n[ 2745.363490,17] [\u003cffffffffa04e1dc7\u003e] qed_mcp_trace_dump+0x4a7/0x630 [qed]\n[ 2745.363504,17] [\u003cffffffffa04e2556\u003e] ? qed_fw_asserts_dump+0x1d6/0x1f0 [qed]\n[ 2745.363520,17] [\u003cffffffffa04e4ea7\u003e] qed_dbg_mcp_trace_get_dump_buf_size+0x37/0x80 [qed]\n[ 2745.363536,17] [\u003cffffffffa04ea881\u003e] qed_dbg_feature_size+0x61/0xa0 [qed]\n[ 2745.363551,17] [\u003cffffffffa04eb427\u003e] qed_dbg_all_data_size+0x247/0x260 [qed]\n[ 2745.363560,17] [\u003cffffffffa0482c10\u003e] qede_get_regs_len+0x30/0x40 [qede]\n[ 2745.363566,17] [\u003cffffffff816c9783\u003e] ethtool_get_drvinfo+0xe3/0x190\n[ 2745.363570,17] [\u003cffffffff816cc152\u003e] dev_ethtool+0x1362/0x2140\n[ 2745.363575,17] [\u003cffffffff8109bcc6\u003e] ? finish_task_switch+0x76/0x260\n[ 2745.363580,17] [\u003cffffffff817c2116\u003e] ? __schedule+0x3c6/0x9d0\n[ 2745.363585,17] [\u003cffffffff810dbd50\u003e] ? hrtimer_start_range_ns+0x1d0/0x370\n[ 2745.363589,17] [\u003cffffffff816c1e5b\u003e] ? dev_get_by_name_rcu+0x6b/0x90\n[ 2745.363594,17] [\u003cffffffff816de6a8\u003e] dev_ioctl+0xe8/0x710\n[ 2745.363599,17] [\u003cffffffff816a58a8\u003e] sock_do_ioctl+0x48/0x60\n[ 2745.363603,17] [\u003cffffffff816a5d87\u003e] sock_ioctl+0x1c7/0x280\n[ 2745.363608,17] [\u003cffffffff8111f393\u003e] ? seccomp_phase1+0x83/0x220\n[ 2745.363612,17] [\u003cffffffff811e3503\u003e] do_vfs_ioctl+0x2b3/0x4e0\n[ 2745.363616,17] [\u003cffffffff811e3771\u003e] SyS_ioctl+0x41/0x70\n[ 2745.363619,17] [\u003cffffffff817c6ffe\u003e] entry_SYSCALL_64_fastpath+0x1e/0x79\n[ 2745.363622,17] ---[ end trace f6954aa440266421 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:58.762Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e0387f4f39a8d92302273ac356d1f6b2a38160d8"
},
{
"url": "https://git.kernel.org/stable/c/50c81b35df01db12b348c5cbf4b1917dc9a7db54"
},
{
"url": "https://git.kernel.org/stable/c/5401c3e0992860b11fb4b25796e4c4f1921740df"
}
],
"title": "qed: allow sleep in qed_mcp_trace_dump()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53509",
"datePublished": "2025-10-01T11:45:58.762Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2025-10-01T11:45:58.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50443 (GCVE-0-2022-50443)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/rockchip: lvds: fix PM usage counter unbalance in poweron
pm_runtime_get_sync will increment pm usage counter even it failed.
Forgetting to putting operation will result in reference leak here.
We fix it by replacing it with the newest pm_runtime_resume_and_get
to keep usage counter balanced.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 34cc0aa2545603560c79aaea3340d8ff3a71bd10 Version: 34cc0aa2545603560c79aaea3340d8ff3a71bd10 Version: 34cc0aa2545603560c79aaea3340d8ff3a71bd10 Version: 34cc0aa2545603560c79aaea3340d8ff3a71bd10 Version: 34cc0aa2545603560c79aaea3340d8ff3a71bd10 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/rockchip/rockchip_lvds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "110bf15825edf4f20bc4e56aba624297861b06ab",
"status": "affected",
"version": "34cc0aa2545603560c79aaea3340d8ff3a71bd10",
"versionType": "git"
},
{
"lessThan": "f6ed73db390319b248b91a6325da1a48ad85e0d1",
"status": "affected",
"version": "34cc0aa2545603560c79aaea3340d8ff3a71bd10",
"versionType": "git"
},
{
"lessThan": "589a911980b730feadb9c430bc0747a118b04dd8",
"status": "affected",
"version": "34cc0aa2545603560c79aaea3340d8ff3a71bd10",
"versionType": "git"
},
{
"lessThan": "12a9b4c4ebd9a0ba856370e088564af83cffd565",
"status": "affected",
"version": "34cc0aa2545603560c79aaea3340d8ff3a71bd10",
"versionType": "git"
},
{
"lessThan": "4dba27f1a14592ac4cf71c3bc1cc1fd05dea8015",
"status": "affected",
"version": "34cc0aa2545603560c79aaea3340d8ff3a71bd10",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/rockchip/rockchip_lvds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: lvds: fix PM usage counter unbalance in poweron\n\npm_runtime_get_sync will increment pm usage counter even it failed.\nForgetting to putting operation will result in reference leak here.\nWe fix it by replacing it with the newest pm_runtime_resume_and_get\nto keep usage counter balanced."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:18.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/110bf15825edf4f20bc4e56aba624297861b06ab"
},
{
"url": "https://git.kernel.org/stable/c/f6ed73db390319b248b91a6325da1a48ad85e0d1"
},
{
"url": "https://git.kernel.org/stable/c/589a911980b730feadb9c430bc0747a118b04dd8"
},
{
"url": "https://git.kernel.org/stable/c/12a9b4c4ebd9a0ba856370e088564af83cffd565"
},
{
"url": "https://git.kernel.org/stable/c/4dba27f1a14592ac4cf71c3bc1cc1fd05dea8015"
}
],
"title": "drm/rockchip: lvds: fix PM usage counter unbalance in poweron",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50443",
"datePublished": "2025-10-01T11:42:18.900Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:18.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53486 (GCVE-0-2023-53486)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Enhance the attribute size check
This combines the overflow and boundary check so that all attribute size
will be properly examined while enumerating them.
[ 169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570
[ 169.183161] Read of size 1 at addr ffff8880094b6240 by task mount/247
[ 169.184046]
[ 169.184925] CPU: 0 PID: 247 Comm: mount Not tainted 6.0.0-rc7+ #3
[ 169.185908] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 169.187066] Call Trace:
[ 169.187492] <TASK>
[ 169.188049] dump_stack_lvl+0x49/0x63
[ 169.188495] print_report.cold+0xf5/0x689
[ 169.188964] ? run_unpack+0x2e3/0x570
[ 169.189331] kasan_report+0xa7/0x130
[ 169.189714] ? run_unpack+0x2e3/0x570
[ 169.190079] __asan_load1+0x51/0x60
[ 169.190634] run_unpack+0x2e3/0x570
[ 169.191290] ? run_pack+0x840/0x840
[ 169.191569] ? run_lookup_entry+0xb3/0x1f0
[ 169.192443] ? mi_enum_attr+0x20a/0x230
[ 169.192886] run_unpack_ex+0xad/0x3e0
[ 169.193276] ? run_unpack+0x570/0x570
[ 169.193557] ? ni_load_mi+0x80/0x80
[ 169.193889] ? debug_smp_processor_id+0x17/0x20
[ 169.194236] ? mi_init+0x4a/0x70
[ 169.194496] attr_load_runs_vcn+0x166/0x1c0
[ 169.194851] ? attr_data_write_resident+0x250/0x250
[ 169.195188] mi_read+0x133/0x2c0
[ 169.195481] ntfs_iget5+0x277/0x1780
[ 169.196017] ? call_rcu+0x1c7/0x330
[ 169.196392] ? ntfs_get_block_bmap+0x70/0x70
[ 169.196708] ? evict+0x223/0x280
[ 169.197014] ? __kmalloc+0x33/0x540
[ 169.197305] ? wnd_init+0x15b/0x1b0
[ 169.197599] ntfs_fill_super+0x1026/0x1ba0
[ 169.197994] ? put_ntfs+0x1d0/0x1d0
[ 169.198299] ? vsprintf+0x20/0x20
[ 169.198583] ? mutex_unlock+0x81/0xd0
[ 169.198930] ? set_blocksize+0x95/0x150
[ 169.199269] get_tree_bdev+0x232/0x370
[ 169.199750] ? put_ntfs+0x1d0/0x1d0
[ 169.200094] ntfs_fs_get_tree+0x15/0x20
[ 169.200431] vfs_get_tree+0x4c/0x130
[ 169.200714] path_mount+0x654/0xfe0
[ 169.201067] ? putname+0x80/0xa0
[ 169.201358] ? finish_automount+0x2e0/0x2e0
[ 169.201965] ? putname+0x80/0xa0
[ 169.202445] ? kmem_cache_free+0x1c4/0x440
[ 169.203075] ? putname+0x80/0xa0
[ 169.203414] do_mount+0xd6/0xf0
[ 169.203719] ? path_mount+0xfe0/0xfe0
[ 169.203977] ? __kasan_check_write+0x14/0x20
[ 169.204382] __x64_sys_mount+0xca/0x110
[ 169.204711] do_syscall_64+0x3b/0x90
[ 169.205059] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 169.205571] RIP: 0033:0x7f67a80e948a
[ 169.206327] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
[ 169.208296] RSP: 002b:00007ffddf020f58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 169.209253] RAX: ffffffffffffffda RBX: 000055e2547a6060 RCX: 00007f67a80e948a
[ 169.209777] RDX: 000055e2547a6260 RSI: 000055e2547a62e0 RDI: 000055e2547aeaf0
[ 169.210342] RBP: 0000000000000000 R08: 000055e2547a6280 R09: 0000000000000020
[ 169.210843] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055e2547aeaf0
[ 169.211307] R13: 000055e2547a6260 R14: 0000000000000000 R15: 00000000ffffffff
[ 169.211913] </TASK>
[ 169.212304]
[ 169.212680] Allocated by task 0:
[ 169.212963] (stack is not available)
[ 169.213200]
[ 169.213472] The buggy address belongs to the object at ffff8880094b5e00
[ 169.213472] which belongs to the cache UDP of size 1152
[ 169.214095] The buggy address is located 1088 bytes inside of
[ 169.214095] 1152-byte region [ffff8880094b5e00, ffff8880094b6280)
[ 169.214639]
[ 169.215004] The buggy address belongs to the physical page:
[ 169.215766] page:000000002e324c8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94b4
[ 169.218412] head:000000002e324c8c order:2 compound_mapcount:0 compound_pincount:0
[ 169.219078] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
[ 169.220272] raw: 000fffffc0010200
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/record.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1fd5b80c9339503f3eaa4db3051b37ac506beeab",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "277439e7cabd9d4c6334b39a4b99d49b4c97265b",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "f28d9e02c2c242e8f9af9e13ba263fcc0211be49",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "4f082a7531223a438c757bb20e304f4c941c67a8",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/record.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.80",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Enhance the attribute size check\n\nThis combines the overflow and boundary check so that all attribute size\nwill be properly examined while enumerating them.\n\n[ 169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570\n[ 169.183161] Read of size 1 at addr ffff8880094b6240 by task mount/247\n[ 169.184046]\n[ 169.184925] CPU: 0 PID: 247 Comm: mount Not tainted 6.0.0-rc7+ #3\n[ 169.185908] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 169.187066] Call Trace:\n[ 169.187492] \u003cTASK\u003e\n[ 169.188049] dump_stack_lvl+0x49/0x63\n[ 169.188495] print_report.cold+0xf5/0x689\n[ 169.188964] ? run_unpack+0x2e3/0x570\n[ 169.189331] kasan_report+0xa7/0x130\n[ 169.189714] ? run_unpack+0x2e3/0x570\n[ 169.190079] __asan_load1+0x51/0x60\n[ 169.190634] run_unpack+0x2e3/0x570\n[ 169.191290] ? run_pack+0x840/0x840\n[ 169.191569] ? run_lookup_entry+0xb3/0x1f0\n[ 169.192443] ? mi_enum_attr+0x20a/0x230\n[ 169.192886] run_unpack_ex+0xad/0x3e0\n[ 169.193276] ? run_unpack+0x570/0x570\n[ 169.193557] ? ni_load_mi+0x80/0x80\n[ 169.193889] ? debug_smp_processor_id+0x17/0x20\n[ 169.194236] ? mi_init+0x4a/0x70\n[ 169.194496] attr_load_runs_vcn+0x166/0x1c0\n[ 169.194851] ? attr_data_write_resident+0x250/0x250\n[ 169.195188] mi_read+0x133/0x2c0\n[ 169.195481] ntfs_iget5+0x277/0x1780\n[ 169.196017] ? call_rcu+0x1c7/0x330\n[ 169.196392] ? ntfs_get_block_bmap+0x70/0x70\n[ 169.196708] ? evict+0x223/0x280\n[ 169.197014] ? __kmalloc+0x33/0x540\n[ 169.197305] ? wnd_init+0x15b/0x1b0\n[ 169.197599] ntfs_fill_super+0x1026/0x1ba0\n[ 169.197994] ? put_ntfs+0x1d0/0x1d0\n[ 169.198299] ? vsprintf+0x20/0x20\n[ 169.198583] ? mutex_unlock+0x81/0xd0\n[ 169.198930] ? set_blocksize+0x95/0x150\n[ 169.199269] get_tree_bdev+0x232/0x370\n[ 169.199750] ? put_ntfs+0x1d0/0x1d0\n[ 169.200094] ntfs_fs_get_tree+0x15/0x20\n[ 169.200431] vfs_get_tree+0x4c/0x130\n[ 169.200714] path_mount+0x654/0xfe0\n[ 169.201067] ? putname+0x80/0xa0\n[ 169.201358] ? finish_automount+0x2e0/0x2e0\n[ 169.201965] ? putname+0x80/0xa0\n[ 169.202445] ? kmem_cache_free+0x1c4/0x440\n[ 169.203075] ? putname+0x80/0xa0\n[ 169.203414] do_mount+0xd6/0xf0\n[ 169.203719] ? path_mount+0xfe0/0xfe0\n[ 169.203977] ? __kasan_check_write+0x14/0x20\n[ 169.204382] __x64_sys_mount+0xca/0x110\n[ 169.204711] do_syscall_64+0x3b/0x90\n[ 169.205059] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 169.205571] RIP: 0033:0x7f67a80e948a\n[ 169.206327] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 169.208296] RSP: 002b:00007ffddf020f58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[ 169.209253] RAX: ffffffffffffffda RBX: 000055e2547a6060 RCX: 00007f67a80e948a\n[ 169.209777] RDX: 000055e2547a6260 RSI: 000055e2547a62e0 RDI: 000055e2547aeaf0\n[ 169.210342] RBP: 0000000000000000 R08: 000055e2547a6280 R09: 0000000000000020\n[ 169.210843] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055e2547aeaf0\n[ 169.211307] R13: 000055e2547a6260 R14: 0000000000000000 R15: 00000000ffffffff\n[ 169.211913] \u003c/TASK\u003e\n[ 169.212304]\n[ 169.212680] Allocated by task 0:\n[ 169.212963] (stack is not available)\n[ 169.213200]\n[ 169.213472] The buggy address belongs to the object at ffff8880094b5e00\n[ 169.213472] which belongs to the cache UDP of size 1152\n[ 169.214095] The buggy address is located 1088 bytes inside of\n[ 169.214095] 1152-byte region [ffff8880094b5e00, ffff8880094b6280)\n[ 169.214639]\n[ 169.215004] The buggy address belongs to the physical page:\n[ 169.215766] page:000000002e324c8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94b4\n[ 169.218412] head:000000002e324c8c order:2 compound_mapcount:0 compound_pincount:0\n[ 169.219078] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)\n[ 169.220272] raw: 000fffffc0010200\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:29.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1fd5b80c9339503f3eaa4db3051b37ac506beeab"
},
{
"url": "https://git.kernel.org/stable/c/277439e7cabd9d4c6334b39a4b99d49b4c97265b"
},
{
"url": "https://git.kernel.org/stable/c/f28d9e02c2c242e8f9af9e13ba263fcc0211be49"
},
{
"url": "https://git.kernel.org/stable/c/4f082a7531223a438c757bb20e304f4c941c67a8"
}
],
"title": "fs/ntfs3: Enhance the attribute size check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53486",
"datePublished": "2025-10-01T11:42:54.028Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-02T07:04:29.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50448 (GCVE-0-2022-50448)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in
When PTE_MARKER_UFFD_WP not configured, it's still possible to reach pte
marker code and trigger an warning. Add a few CONFIG_PTE_MARKER_UFFD_WP
ifdefs to make sure the code won't be reached when not compiled in.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c",
"mm/memory.c",
"mm/mprotect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b76e4eb02e9edb9a0a51942acdb373ca01346e8c",
"status": "affected",
"version": "b1f9e876862d8f7176299ec4fb2108bc1045cbc8",
"versionType": "git"
},
{
"lessThan": "2204a880cb0c51952463a24a4fa01a6514c5a25a",
"status": "affected",
"version": "b1f9e876862d8f7176299ec4fb2108bc1045cbc8",
"versionType": "git"
},
{
"lessThan": "515778e2d790652a38a24554fdb7f21420d91efc",
"status": "affected",
"version": "b1f9e876862d8f7176299ec4fb2108bc1045cbc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c",
"mm/memory.c",
"mm/mprotect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in\n\nWhen PTE_MARKER_UFFD_WP not configured, it\u0027s still possible to reach pte\nmarker code and trigger an warning. Add a few CONFIG_PTE_MARKER_UFFD_WP\nifdefs to make sure the code won\u0027t be reached when not compiled in."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:22.513Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b76e4eb02e9edb9a0a51942acdb373ca01346e8c"
},
{
"url": "https://git.kernel.org/stable/c/2204a880cb0c51952463a24a4fa01a6514c5a25a"
},
{
"url": "https://git.kernel.org/stable/c/515778e2d790652a38a24554fdb7f21420d91efc"
}
],
"title": "mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50448",
"datePublished": "2025-10-01T11:45:22.513Z",
"dateReserved": "2025-09-17T14:53:07.011Z",
"dateUpdated": "2025-10-01T11:45:22.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53517 (GCVE-0-2023-53517)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: do not update mtu if msg_max is too small in mtu negotiation
When doing link mtu negotiation, a malicious peer may send Activate msg
with a very small mtu, e.g. 4 in Shuang's testing, without checking for
the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then
n->links[bearer_id].mtu is set to 4294967228, which is a overflow of
'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss().
With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:
tipc: Too large msg, purging xmit list 1 5 0 40 4!
tipc: Too large msg, purging xmit list 1 15 0 60 4!
And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in
named_distribute(), and when purging it in tipc_link_xmit(), a crash
was even caused:
general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19
RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0
Call Trace:
<IRQ>
skb_release_data+0xf9/0x1d0
kfree_skb_reason+0x40/0x100
tipc_link_xmit+0x57a/0x740 [tipc]
tipc_node_xmit+0x16c/0x5c0 [tipc]
tipc_named_node_up+0x27f/0x2c0 [tipc]
tipc_node_write_unlock+0x149/0x170 [tipc]
tipc_rcv+0x608/0x740 [tipc]
tipc_udp_recv+0xdc/0x1f0 [tipc]
udp_queue_rcv_one_skb+0x33e/0x620
udp_unicast_rcv_skb.isra.72+0x75/0x90
__udp4_lib_rcv+0x56d/0xc20
ip_protocol_deliver_rcu+0x100/0x2d0
This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),
and not updating mtu if it is too small.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: ed193ece2649c194a87a9d8470195760d367c075 Version: ed193ece2649c194a87a9d8470195760d367c075 Version: ed193ece2649c194a87a9d8470195760d367c075 Version: ed193ece2649c194a87a9d8470195760d367c075 Version: ed193ece2649c194a87a9d8470195760d367c075 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bd4ff4ffb92113f8acd04dbaed83269172c24b4",
"status": "affected",
"version": "ed193ece2649c194a87a9d8470195760d367c075",
"versionType": "git"
},
{
"lessThan": "575e84d90a74c0b091b3417ba763ebb237aa0a8c",
"status": "affected",
"version": "ed193ece2649c194a87a9d8470195760d367c075",
"versionType": "git"
},
{
"lessThan": "259683001d7e879fea4b42084fb6560dd9408a7e",
"status": "affected",
"version": "ed193ece2649c194a87a9d8470195760d367c075",
"versionType": "git"
},
{
"lessThan": "1dd7ae5e0cf5a56e513f7ab7ab9570b7496281d2",
"status": "affected",
"version": "ed193ece2649c194a87a9d8470195760d367c075",
"versionType": "git"
},
{
"lessThan": "56077b56cd3fb78e1c8619e29581ba25a5c55e86",
"status": "affected",
"version": "ed193ece2649c194a87a9d8470195760d367c075",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: do not update mtu if msg_max is too small in mtu negotiation\n\nWhen doing link mtu negotiation, a malicious peer may send Activate msg\nwith a very small mtu, e.g. 4 in Shuang\u0027s testing, without checking for\nthe minimum mtu, l-\u003emtu will be set to 4 in tipc_link_proto_rcv(), then\nn-\u003elinks[bearer_id].mtu is set to 4294967228, which is a overflow of\n\u00274 - INT_H_SIZE - EMSG_OVERHEAD\u0027 in tipc_link_mss().\n\nWith tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:\n\n tipc: Too large msg, purging xmit list 1 5 0 40 4!\n tipc: Too large msg, purging xmit list 1 15 0 60 4!\n\nAnd with tipc_link_entry.mtu 4294967228, a huge skb was allocated in\nnamed_distribute(), and when purging it in tipc_link_xmit(), a crash\nwas even caused:\n\n general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19\n RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0\n Call Trace:\n \u003cIRQ\u003e\n skb_release_data+0xf9/0x1d0\n kfree_skb_reason+0x40/0x100\n tipc_link_xmit+0x57a/0x740 [tipc]\n tipc_node_xmit+0x16c/0x5c0 [tipc]\n tipc_named_node_up+0x27f/0x2c0 [tipc]\n tipc_node_write_unlock+0x149/0x170 [tipc]\n tipc_rcv+0x608/0x740 [tipc]\n tipc_udp_recv+0xdc/0x1f0 [tipc]\n udp_queue_rcv_one_skb+0x33e/0x620\n udp_unicast_rcv_skb.isra.72+0x75/0x90\n __udp4_lib_rcv+0x56d/0xc20\n ip_protocol_deliver_rcu+0x100/0x2d0\n\nThis patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),\nand not updating mtu if it is too small."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:04.673Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bd4ff4ffb92113f8acd04dbaed83269172c24b4"
},
{
"url": "https://git.kernel.org/stable/c/575e84d90a74c0b091b3417ba763ebb237aa0a8c"
},
{
"url": "https://git.kernel.org/stable/c/259683001d7e879fea4b42084fb6560dd9408a7e"
},
{
"url": "https://git.kernel.org/stable/c/1dd7ae5e0cf5a56e513f7ab7ab9570b7496281d2"
},
{
"url": "https://git.kernel.org/stable/c/56077b56cd3fb78e1c8619e29581ba25a5c55e86"
}
],
"title": "tipc: do not update mtu if msg_max is too small in mtu negotiation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53517",
"datePublished": "2025-10-01T11:46:04.673Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:04.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50466 (GCVE-0-2022-50466)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/binfmt_elf: Fix memory leak in load_elf_binary()
There is a memory leak reported by kmemleak:
unreferenced object 0xffff88817104ef80 (size 224):
comm "xfs_admin", pid 47165, jiffies 4298708825 (age 1333.476s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
60 a8 b3 00 81 88 ff ff a8 10 5a 00 81 88 ff ff `.........Z.....
backtrace:
[<ffffffff819171e1>] __alloc_file+0x21/0x250
[<ffffffff81918061>] alloc_empty_file+0x41/0xf0
[<ffffffff81948cda>] path_openat+0xea/0x3d30
[<ffffffff8194ec89>] do_filp_open+0x1b9/0x290
[<ffffffff8192660e>] do_open_execat+0xce/0x5b0
[<ffffffff81926b17>] open_exec+0x27/0x50
[<ffffffff81a69250>] load_elf_binary+0x510/0x3ed0
[<ffffffff81927759>] bprm_execve+0x599/0x1240
[<ffffffff8192a997>] do_execveat_common.isra.0+0x4c7/0x680
[<ffffffff8192b078>] __x64_sys_execve+0x88/0xb0
[<ffffffff83bbf0a5>] do_syscall_64+0x35/0x80
If "interp_elf_ex" fails to allocate memory in load_elf_binary(),
the program will take the "out_free_ph" error handing path,
resulting in "interpreter" file resource is not released.
Fix it by adding an error handing path "out_free_file", which will
release the file resource when "interp_elf_ex" failed to allocate
memory.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/binfmt_elf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "706215300411d48db6b51a5832b872632a84bbc1",
"status": "affected",
"version": "0693ffebcfe5ac7b31f63ad54587007f7d96fb7b",
"versionType": "git"
},
{
"lessThan": "265b6fb780f57d10449a40e94219b28fa52479cc",
"status": "affected",
"version": "0693ffebcfe5ac7b31f63ad54587007f7d96fb7b",
"versionType": "git"
},
{
"lessThan": "acd9b4914f1c5928c7ae8ebc623d6291eb1a573a",
"status": "affected",
"version": "0693ffebcfe5ac7b31f63ad54587007f7d96fb7b",
"versionType": "git"
},
{
"lessThan": "594d2a14f2168c09b13b114c3d457aa939403e52",
"status": "affected",
"version": "0693ffebcfe5ac7b31f63ad54587007f7d96fb7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/binfmt_elf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/binfmt_elf: Fix memory leak in load_elf_binary()\n\nThere is a memory leak reported by kmemleak:\n\n unreferenced object 0xffff88817104ef80 (size 224):\n comm \"xfs_admin\", pid 47165, jiffies 4298708825 (age 1333.476s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 60 a8 b3 00 81 88 ff ff a8 10 5a 00 81 88 ff ff `.........Z.....\n backtrace:\n [\u003cffffffff819171e1\u003e] __alloc_file+0x21/0x250\n [\u003cffffffff81918061\u003e] alloc_empty_file+0x41/0xf0\n [\u003cffffffff81948cda\u003e] path_openat+0xea/0x3d30\n [\u003cffffffff8194ec89\u003e] do_filp_open+0x1b9/0x290\n [\u003cffffffff8192660e\u003e] do_open_execat+0xce/0x5b0\n [\u003cffffffff81926b17\u003e] open_exec+0x27/0x50\n [\u003cffffffff81a69250\u003e] load_elf_binary+0x510/0x3ed0\n [\u003cffffffff81927759\u003e] bprm_execve+0x599/0x1240\n [\u003cffffffff8192a997\u003e] do_execveat_common.isra.0+0x4c7/0x680\n [\u003cffffffff8192b078\u003e] __x64_sys_execve+0x88/0xb0\n [\u003cffffffff83bbf0a5\u003e] do_syscall_64+0x35/0x80\n\nIf \"interp_elf_ex\" fails to allocate memory in load_elf_binary(),\nthe program will take the \"out_free_ph\" error handing path,\nresulting in \"interpreter\" file resource is not released.\n\nFix it by adding an error handing path \"out_free_file\", which will\nrelease the file resource when \"interp_elf_ex\" failed to allocate\nmemory."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:37.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/706215300411d48db6b51a5832b872632a84bbc1"
},
{
"url": "https://git.kernel.org/stable/c/265b6fb780f57d10449a40e94219b28fa52479cc"
},
{
"url": "https://git.kernel.org/stable/c/acd9b4914f1c5928c7ae8ebc623d6291eb1a573a"
},
{
"url": "https://git.kernel.org/stable/c/594d2a14f2168c09b13b114c3d457aa939403e52"
}
],
"title": "fs/binfmt_elf: Fix memory leak in load_elf_binary()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50466",
"datePublished": "2025-10-01T11:45:37.376Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:37.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53487 (GCVE-0-2023-53487)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas_flash: allow user copy to flash block cache objects
With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the
/proc/powerpc/rtas/firmware_update interface to prepare a system
firmware update yields a BUG():
kernel BUG at mm/usercopy.c:102!
Oops: Exception in kernel mode, sig: 5 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
Modules linked in:
CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2
Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries
NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000
REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)
MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002242 XER: 0000000c
CFAR: c0000000001fbd34 IRQMASK: 0
[ ... GPRs omitted ... ]
NIP usercopy_abort+0xa0/0xb0
LR usercopy_abort+0x9c/0xb0
Call Trace:
usercopy_abort+0x9c/0xb0 (unreliable)
__check_heap_object+0x1b4/0x1d0
__check_object_size+0x2d0/0x380
rtas_flash_write+0xe4/0x250
proc_reg_write+0xfc/0x160
vfs_write+0xfc/0x4e0
ksys_write+0x90/0x160
system_call_exception+0x178/0x320
system_call_common+0x160/0x2c4
The blocks of the firmware image are copied directly from user memory
to objects allocated from flash_block_cache, so flash_block_cache must
be created using kmem_cache_create_usercopy() to mark it safe for user
access.
[mpe: Trim and indent oops]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/rtas_flash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f09cc15dcd91d16562400c51d24c7be0d5796fa",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "1d29e21ed09fa668416fa7721e08d451b9903485",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "0ba7f969be599e21d4b1f1e947593de6515f4996",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "8ef25fb13494e35c6dbe15445c7875fa92bc3e8b",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "b8fee83aa4ed3846c7f50a0b364bc699f48d96e5",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "6acb8a453388374fafb3c3b37534b675b2aa0ae1",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "4f3175979e62de3b929bfa54a0db4b87d36257a7",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/rtas_flash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas_flash: allow user copy to flash block cache objects\n\nWith hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the\n/proc/powerpc/rtas/firmware_update interface to prepare a system\nfirmware update yields a BUG():\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in:\n CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2\n Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries\n NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000\n REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)\n MSR: 8000000000029033 \u003cSF,EE,ME,IR,DR,RI,LE\u003e CR: 24002242 XER: 0000000c\n CFAR: c0000000001fbd34 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP usercopy_abort+0xa0/0xb0\n LR usercopy_abort+0x9c/0xb0\n Call Trace:\n usercopy_abort+0x9c/0xb0 (unreliable)\n __check_heap_object+0x1b4/0x1d0\n __check_object_size+0x2d0/0x380\n rtas_flash_write+0xe4/0x250\n proc_reg_write+0xfc/0x160\n vfs_write+0xfc/0x4e0\n ksys_write+0x90/0x160\n system_call_exception+0x178/0x320\n system_call_common+0x160/0x2c4\n\nThe blocks of the firmware image are copied directly from user memory\nto objects allocated from flash_block_cache, so flash_block_cache must\nbe created using kmem_cache_create_usercopy() to mark it safe for user\naccess.\n\n[mpe: Trim and indent oops]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:54.747Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f09cc15dcd91d16562400c51d24c7be0d5796fa"
},
{
"url": "https://git.kernel.org/stable/c/1d29e21ed09fa668416fa7721e08d451b9903485"
},
{
"url": "https://git.kernel.org/stable/c/0ba7f969be599e21d4b1f1e947593de6515f4996"
},
{
"url": "https://git.kernel.org/stable/c/8ef25fb13494e35c6dbe15445c7875fa92bc3e8b"
},
{
"url": "https://git.kernel.org/stable/c/b8fee83aa4ed3846c7f50a0b364bc699f48d96e5"
},
{
"url": "https://git.kernel.org/stable/c/6acb8a453388374fafb3c3b37534b675b2aa0ae1"
},
{
"url": "https://git.kernel.org/stable/c/4f3175979e62de3b929bfa54a0db4b87d36257a7"
}
],
"title": "powerpc/rtas_flash: allow user copy to flash block cache objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53487",
"datePublished": "2025-10-01T11:42:54.747Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:54.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53505 (GCVE-0-2023-53505)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: tegra: tegra124-emc: Fix potential memory leak
The tegra and tegra needs to be freed in the error handling path, otherwise
it will be leaked.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra124-emc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "801c8341f7aff07c494b53e627970b72635af5d3",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "404e9f741acfb188212f7142d91e247630dd77cc",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "fd1c117bb5d7e033bf1aa25ac97ff421f81a1199",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "96bafece6ff380138896f009141fd7337070e680",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "e969c144d908ea9387442659f103d374c8ff682d",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "4e59e355f9fcccd9edf65d09f769bb4c163a1c36",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "53a06e5924c0d43c11379a08c5a78529c3e61595",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra124-emc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: tegra124-emc: Fix potential memory leak\n\nThe tegra and tegra needs to be freed in the error handling path, otherwise\nit will be leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:55.859Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/801c8341f7aff07c494b53e627970b72635af5d3"
},
{
"url": "https://git.kernel.org/stable/c/404e9f741acfb188212f7142d91e247630dd77cc"
},
{
"url": "https://git.kernel.org/stable/c/fd1c117bb5d7e033bf1aa25ac97ff421f81a1199"
},
{
"url": "https://git.kernel.org/stable/c/96bafece6ff380138896f009141fd7337070e680"
},
{
"url": "https://git.kernel.org/stable/c/e969c144d908ea9387442659f103d374c8ff682d"
},
{
"url": "https://git.kernel.org/stable/c/4e59e355f9fcccd9edf65d09f769bb4c163a1c36"
},
{
"url": "https://git.kernel.org/stable/c/53a06e5924c0d43c11379a08c5a78529c3e61595"
}
],
"title": "clk: tegra: tegra124-emc: Fix potential memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53505",
"datePublished": "2025-10-01T11:45:55.859Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:55.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53453 (GCVE-0-2023-53453)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: free iio for atombios when driver shutdown
Fix below kmemleak when unload radeon driver:
unreferenced object 0xffff9f8608ede200 (size 512):
comm "systemd-udevd", pid 326, jiffies 4294682822 (age 716.338s)
hex dump (first 32 bytes):
00 00 00 00 c4 aa ec aa 14 ab 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000062fadebe>] kmem_cache_alloc_trace+0x2f1/0x500
[<00000000b6883cea>] atom_parse+0x117/0x230 [radeon]
[<00000000158c23fd>] radeon_atombios_init+0xab/0x170 [radeon]
[<00000000683f672e>] si_init+0x57/0x750 [radeon]
[<00000000566cc31f>] radeon_device_init+0x559/0x9c0 [radeon]
[<0000000046efabb3>] radeon_driver_load_kms+0xc1/0x1a0 [radeon]
[<00000000b5155064>] drm_dev_register+0xdd/0x1d0
[<0000000045fec835>] radeon_pci_probe+0xbd/0x100 [radeon]
[<00000000e69ecca3>] pci_device_probe+0xe1/0x160
[<0000000019484b76>] really_probe.part.0+0xc1/0x2c0
[<000000003f2649da>] __driver_probe_device+0x96/0x130
[<00000000231c5bb1>] driver_probe_device+0x24/0xf0
[<0000000000a42377>] __driver_attach+0x77/0x190
[<00000000d7574da6>] bus_for_each_dev+0x7f/0xd0
[<00000000633166d2>] driver_attach+0x1e/0x30
[<00000000313b05b8>] bus_add_driver+0x12c/0x1e0
iio was allocated in atom_index_iio() called by atom_parse(),
but it doesn't got released when the dirver is shutdown.
Fix this kmemleak by free it in radeon_atombios_fini().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb109cedbba11c33473e6780c256d8442a9e4460",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9cdb96b55651c92fc949cfd54124406c3c912b6b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9f55fc64928b5e30d78f861c5fc76db9e769ebb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce9e9d3dcbb0d1551ffd1a7f16e7c051f3ba4140",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cda2f7efbc2d857220dad32e315a54565b285c1c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "107b8b542bb9dab4cbdc3276c85fbdd7f6782313",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e2791f2f4d1d804e45fa91b14295c326b64c65f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4773fadedca918faec443daaca5e4ea1c0ced144",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: free iio for atombios when driver shutdown\n\nFix below kmemleak when unload radeon driver:\n\nunreferenced object 0xffff9f8608ede200 (size 512):\n comm \"systemd-udevd\", pid 326, jiffies 4294682822 (age 716.338s)\n hex dump (first 32 bytes):\n 00 00 00 00 c4 aa ec aa 14 ab 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c0000000062fadebe\u003e] kmem_cache_alloc_trace+0x2f1/0x500\n [\u003c00000000b6883cea\u003e] atom_parse+0x117/0x230 [radeon]\n [\u003c00000000158c23fd\u003e] radeon_atombios_init+0xab/0x170 [radeon]\n [\u003c00000000683f672e\u003e] si_init+0x57/0x750 [radeon]\n [\u003c00000000566cc31f\u003e] radeon_device_init+0x559/0x9c0 [radeon]\n [\u003c0000000046efabb3\u003e] radeon_driver_load_kms+0xc1/0x1a0 [radeon]\n [\u003c00000000b5155064\u003e] drm_dev_register+0xdd/0x1d0\n [\u003c0000000045fec835\u003e] radeon_pci_probe+0xbd/0x100 [radeon]\n [\u003c00000000e69ecca3\u003e] pci_device_probe+0xe1/0x160\n [\u003c0000000019484b76\u003e] really_probe.part.0+0xc1/0x2c0\n [\u003c000000003f2649da\u003e] __driver_probe_device+0x96/0x130\n [\u003c00000000231c5bb1\u003e] driver_probe_device+0x24/0xf0\n [\u003c0000000000a42377\u003e] __driver_attach+0x77/0x190\n [\u003c00000000d7574da6\u003e] bus_for_each_dev+0x7f/0xd0\n [\u003c00000000633166d2\u003e] driver_attach+0x1e/0x30\n [\u003c00000000313b05b8\u003e] bus_add_driver+0x12c/0x1e0\n\niio was allocated in atom_index_iio() called by atom_parse(),\nbut it doesn\u0027t got released when the dirver is shutdown.\nFix this kmemleak by free it in radeon_atombios_fini()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:24.649Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb109cedbba11c33473e6780c256d8442a9e4460"
},
{
"url": "https://git.kernel.org/stable/c/9cdb96b55651c92fc949cfd54124406c3c912b6b"
},
{
"url": "https://git.kernel.org/stable/c/f9f55fc64928b5e30d78f861c5fc76db9e769ebb"
},
{
"url": "https://git.kernel.org/stable/c/ce9e9d3dcbb0d1551ffd1a7f16e7c051f3ba4140"
},
{
"url": "https://git.kernel.org/stable/c/cda2f7efbc2d857220dad32e315a54565b285c1c"
},
{
"url": "https://git.kernel.org/stable/c/107b8b542bb9dab4cbdc3276c85fbdd7f6782313"
},
{
"url": "https://git.kernel.org/stable/c/e2791f2f4d1d804e45fa91b14295c326b64c65f1"
},
{
"url": "https://git.kernel.org/stable/c/4773fadedca918faec443daaca5e4ea1c0ced144"
}
],
"title": "drm/radeon: free iio for atombios when driver shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53453",
"datePublished": "2025-10-01T11:42:24.649Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:24.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34319 (GCVE-0-2023-34319)
Vulnerability from cvelistv5
Published
2023-09-22 13:34
Modified
2025-06-18 14:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The fix for XSA-423 added logic to Linux'es netback driver to deal with
a frontend splitting a packet in a way such that not all of the headers
would come in one piece. Unfortunately the logic introduced there
didn't account for the extreme case of the entire packet being split
into as many pieces as permitted by the protocol, yet still being
smaller than the area that's specially dealt with to keep all (possible)
headers together. Such an unusual packet would therefore trigger a
buffer overrun in the driver.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:06.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-432.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240202-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34319",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T14:25:25.464362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T14:26:05.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Linux",
"vendor": "Linux",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-432"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All systems using a Linux based network backend with kernel 3.19 and\nnewer are vulnerable, on the assumption that the fix for XSA-423 was\ntaken. Systems using other network backends are not known to be\nvulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Ross Lagerwall of Citrix."
}
],
"datePublic": "2023-09-19T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The fix for XSA-423 added logic to Linux\u0027es netback driver to deal with\na frontend splitting a packet in a way such that not all of the headers\nwould come in one piece. Unfortunately the logic introduced there\ndidn\u0027t account for the extreme case of the entire packet being split\ninto as many pieces as permitted by the protocol, yet still being\nsmaller than the area that\u0027s specially dealt with to keep all (possible)\nheaders together. Such an unusual packet would therefore trigger a\nbuffer overrun in the driver."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause Denial of Service (DoS) of the host by sending network packets to the backend, causing the backend to crash. Data corruption or privilege escalation seem unlikely but have not been ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T14:06:14.314Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-432.html"
},
{
"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240202-0001/"
}
],
"title": "Linux: buffer overrun in netback due to unusual packet",
"workarounds": [
{
"lang": "en",
"value": "Using another PV network backend (e.g. the qemu based \"qnic\" backend)\nwill mitigate the problem.\n\nUsing a dedicated network driver domain per guest will mitigate the\nproblem."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-34319",
"datePublished": "2023-09-22T13:34:44.424Z",
"dateReserved": "2023-06-01T10:44:17.064Z",
"dateUpdated": "2025-06-18T14:26:05.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4460 (GCVE-0-2021-4460)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
If get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up
doing a shift operation where the number of bits shifted equals
number of bits in the operand. This behaviour is undefined.
Set num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the
count is >= number of bits in the operand.
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c0356ef2498c1a250fe3846f30293f828737309",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1874b0ef1426b873de94c61861e38f29a8df714c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3fdc5182700910a685d23df57d65166e8556a266",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9069b1b542de8f3bbffef868aff41521b21485cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "50e2fc36e72d4ad672032ebf646cecb48656efe0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix UBSAN shift-out-of-bounds warning\n\nIf get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up\ndoing a shift operation where the number of bits shifted equals\nnumber of bits in the operand. This behaviour is undefined.\n\nSet num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the\ncount is \u003e= number of bits in the operand.\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:19.050Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c0356ef2498c1a250fe3846f30293f828737309"
},
{
"url": "https://git.kernel.org/stable/c/1874b0ef1426b873de94c61861e38f29a8df714c"
},
{
"url": "https://git.kernel.org/stable/c/3fdc5182700910a685d23df57d65166e8556a266"
},
{
"url": "https://git.kernel.org/stable/c/9069b1b542de8f3bbffef868aff41521b21485cf"
},
{
"url": "https://git.kernel.org/stable/c/50e2fc36e72d4ad672032ebf646cecb48656efe0"
}
],
"title": "drm/amdkfd: Fix UBSAN shift-out-of-bounds warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-4460",
"datePublished": "2025-10-01T11:45:19.050Z",
"dateReserved": "2025-10-01T11:38:13.842Z",
"dateUpdated": "2025-10-01T11:45:19.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50453 (GCVE-0-2022-50453)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpiolib: cdev: fix NULL-pointer dereferences
There are several places where we can crash the kernel by requesting
lines, unbinding the GPIO device, then calling any of the system calls
relevant to the GPIO character device's annonymous file descriptors:
ioctl(), read(), poll().
While I observed it with the GPIO simulator, it will also happen for any
of the GPIO devices that can be hot-unplugged - for instance any HID GPIO
expander (e.g. CP2112).
This affects both v1 and v2 uAPI.
This fixes it partially by checking if gdev->chip is not NULL but it
doesn't entirely remedy the situation as we still have a race condition
in which another thread can remove the device after the check.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d7c51b47ac11e66f547b55640405c1c474642d72 Version: d7c51b47ac11e66f547b55640405c1c474642d72 Version: d7c51b47ac11e66f547b55640405c1c474642d72 Version: d7c51b47ac11e66f547b55640405c1c474642d72 Version: d7c51b47ac11e66f547b55640405c1c474642d72 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d79546622baab843172b52c3af035f83c1b21df",
"status": "affected",
"version": "d7c51b47ac11e66f547b55640405c1c474642d72",
"versionType": "git"
},
{
"lessThan": "7c755a2d6df511eeb5afba966ac28140f9ea5063",
"status": "affected",
"version": "d7c51b47ac11e66f547b55640405c1c474642d72",
"versionType": "git"
},
{
"lessThan": "d66f68ac9e7ba46b6b90fbe25155723f2126088a",
"status": "affected",
"version": "d7c51b47ac11e66f547b55640405c1c474642d72",
"versionType": "git"
},
{
"lessThan": "ac6ce3cd7a3e10a2e37b8970bab81b4d33d5cfc3",
"status": "affected",
"version": "d7c51b47ac11e66f547b55640405c1c474642d72",
"versionType": "git"
},
{
"lessThan": "533aae7c94dbc2b14301cfd68ae7e0e90f0c8438",
"status": "affected",
"version": "d7c51b47ac11e66f547b55640405c1c474642d72",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: fix NULL-pointer dereferences\n\nThere are several places where we can crash the kernel by requesting\nlines, unbinding the GPIO device, then calling any of the system calls\nrelevant to the GPIO character device\u0027s annonymous file descriptors:\nioctl(), read(), poll().\n\nWhile I observed it with the GPIO simulator, it will also happen for any\nof the GPIO devices that can be hot-unplugged - for instance any HID GPIO\nexpander (e.g. CP2112).\n\nThis affects both v1 and v2 uAPI.\n\nThis fixes it partially by checking if gdev-\u003echip is not NULL but it\ndoesn\u0027t entirely remedy the situation as we still have a race condition\nin which another thread can remove the device after the check."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:26.499Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d79546622baab843172b52c3af035f83c1b21df"
},
{
"url": "https://git.kernel.org/stable/c/7c755a2d6df511eeb5afba966ac28140f9ea5063"
},
{
"url": "https://git.kernel.org/stable/c/d66f68ac9e7ba46b6b90fbe25155723f2126088a"
},
{
"url": "https://git.kernel.org/stable/c/ac6ce3cd7a3e10a2e37b8970bab81b4d33d5cfc3"
},
{
"url": "https://git.kernel.org/stable/c/533aae7c94dbc2b14301cfd68ae7e0e90f0c8438"
}
],
"title": "gpiolib: cdev: fix NULL-pointer dereferences",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50453",
"datePublished": "2025-10-01T11:45:26.499Z",
"dateReserved": "2025-09-17T14:53:07.013Z",
"dateUpdated": "2025-10-01T11:45:26.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53479 (GCVE-0-2023-53479)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()
KASAN and KFENCE detected an user-after-free in the CXL driver. This
happens in the cxl_decoder_add() fail path. KASAN prints the following
error:
BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299)
This happens in cxl_parse_cfmws(), where put_device() is called,
releasing cxld, which is accessed later.
Use the local variables in the dev_err() instead of pointing to the
released memory. Since the dev_err() is printing a resource, change the open
coded print format to use the %pr format specifier.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cxl/acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "748fadc08bcbdaf573b34d9784bb3dbd87441dbf",
"status": "affected",
"version": "e50fe01e1f2a4aba2275edee7d5c77ac87674ddb",
"versionType": "git"
},
{
"lessThan": "316db489647b8ddc381682597e89787eac61a278",
"status": "affected",
"version": "e50fe01e1f2a4aba2275edee7d5c77ac87674ddb",
"versionType": "git"
},
{
"lessThan": "4cf67d3cc9994a59cf77bb9c0ccf9007fe916afe",
"status": "affected",
"version": "e50fe01e1f2a4aba2275edee7d5c77ac87674ddb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cxl/acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/acpi: Fix a use-after-free in cxl_parse_cfmws()\n\nKASAN and KFENCE detected an user-after-free in the CXL driver. This\nhappens in the cxl_decoder_add() fail path. KASAN prints the following\nerror:\n\n BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299)\n\nThis happens in cxl_parse_cfmws(), where put_device() is called,\nreleasing cxld, which is accessed later.\n\nUse the local variables in the dev_err() instead of pointing to the\nreleased memory. Since the dev_err() is printing a resource, change the open\ncoded print format to use the %pr format specifier."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:47.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/748fadc08bcbdaf573b34d9784bb3dbd87441dbf"
},
{
"url": "https://git.kernel.org/stable/c/316db489647b8ddc381682597e89787eac61a278"
},
{
"url": "https://git.kernel.org/stable/c/4cf67d3cc9994a59cf77bb9c0ccf9007fe916afe"
}
],
"title": "cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53479",
"datePublished": "2025-10-01T11:42:47.987Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:47.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50468 (GCVE-0-2022-50468)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()
The following WARNING message was given when rmmod cros_usbpd_notify:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0
Modules linked in: cros_usbpd_notify(-)
CPU: 0 PID: 253 Comm: rmmod Not tainted 6.1.0-rc3 #24
...
Call Trace:
<TASK>
cros_usbpd_notify_exit+0x11/0x1e [cros_usbpd_notify]
__x64_sys_delete_module+0x3c7/0x570
? __ia32_sys_delete_module+0x570/0x570
? lock_is_held_type+0xe3/0x140
? syscall_enter_from_user_mode+0x17/0x50
? rcu_read_lock_sched_held+0xa0/0xd0
? syscall_enter_from_user_mode+0x1c/0x50
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f333fe9b1b7
The reason is that the cros_usbpd_notify_init() does not check the return
value of platform_driver_register(), and the cros_usbpd_notify can
install successfully even if platform_driver_register() failed.
Fix by checking the return value of platform_driver_register() and
unregister cros_usbpd_notify_plat_driver when it failed.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: ec2daf6e33f9f9113ba085b6ff88592907b6f1ce Version: ec2daf6e33f9f9113ba085b6ff88592907b6f1ce Version: ec2daf6e33f9f9113ba085b6ff88592907b6f1ce Version: ec2daf6e33f9f9113ba085b6ff88592907b6f1ce Version: ec2daf6e33f9f9113ba085b6ff88592907b6f1ce |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_usbpd_notify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c0cacdd354987f8f5348d16908716f154047890",
"status": "affected",
"version": "ec2daf6e33f9f9113ba085b6ff88592907b6f1ce",
"versionType": "git"
},
{
"lessThan": "cab345f9d51943898e406275f9607c145adb1877",
"status": "affected",
"version": "ec2daf6e33f9f9113ba085b6ff88592907b6f1ce",
"versionType": "git"
},
{
"lessThan": "7b6ee54995739202b4a0cc01b7e9269f761c573d",
"status": "affected",
"version": "ec2daf6e33f9f9113ba085b6ff88592907b6f1ce",
"versionType": "git"
},
{
"lessThan": "751f12696d797e785d2611099fe9f0569d47556e",
"status": "affected",
"version": "ec2daf6e33f9f9113ba085b6ff88592907b6f1ce",
"versionType": "git"
},
{
"lessThan": "5a2d96623670155d94aca72c320c0ac27bdc6bd2",
"status": "affected",
"version": "ec2daf6e33f9f9113ba085b6ff88592907b6f1ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_usbpd_notify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()\n\nThe following WARNING message was given when rmmod cros_usbpd_notify:\n\n Unexpected driver unregister!\n WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0\n Modules linked in: cros_usbpd_notify(-)\n CPU: 0 PID: 253 Comm: rmmod Not tainted 6.1.0-rc3 #24\n ...\n Call Trace:\n \u003cTASK\u003e\n cros_usbpd_notify_exit+0x11/0x1e [cros_usbpd_notify]\n __x64_sys_delete_module+0x3c7/0x570\n ? __ia32_sys_delete_module+0x570/0x570\n ? lock_is_held_type+0xe3/0x140\n ? syscall_enter_from_user_mode+0x17/0x50\n ? rcu_read_lock_sched_held+0xa0/0xd0\n ? syscall_enter_from_user_mode+0x1c/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f333fe9b1b7\n\nThe reason is that the cros_usbpd_notify_init() does not check the return\nvalue of platform_driver_register(), and the cros_usbpd_notify can\ninstall successfully even if platform_driver_register() failed.\n\nFix by checking the return value of platform_driver_register() and\nunregister cros_usbpd_notify_plat_driver when it failed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:38.881Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c0cacdd354987f8f5348d16908716f154047890"
},
{
"url": "https://git.kernel.org/stable/c/cab345f9d51943898e406275f9607c145adb1877"
},
{
"url": "https://git.kernel.org/stable/c/7b6ee54995739202b4a0cc01b7e9269f761c573d"
},
{
"url": "https://git.kernel.org/stable/c/751f12696d797e785d2611099fe9f0569d47556e"
},
{
"url": "https://git.kernel.org/stable/c/5a2d96623670155d94aca72c320c0ac27bdc6bd2"
}
],
"title": "platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50468",
"datePublished": "2025-10-01T11:45:38.881Z",
"dateReserved": "2025-10-01T11:38:45.642Z",
"dateUpdated": "2025-10-01T11:45:38.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50463 (GCVE-0-2022-50463)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/52xx: Fix a resource leak in an error handling path
The error handling path of mpc52xx_lpbfifo_probe() has a request_irq()
that is not balanced by a corresponding free_irq().
Add the missing call, as already done in the remove function.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 Version: 3c9059d79f5eea6b8b75ddac97693127c3c41db4 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be9caf2c936f15a9c3f9111e62bdde6357312f90",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
},
{
"lessThan": "f4ad0a7f0e78d65d38921ab2bef234e49be78b10",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
},
{
"lessThan": "e4002f293e5b44e57d2930513cca0dff32249812",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
},
{
"lessThan": "9bf842ffdd216b9f94d5b051b5d8b815f2426538",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
},
{
"lessThan": "40b4be399e0db7073dec5a0de5ca9994f7e31e58",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
},
{
"lessThan": "0accd460dc7bbe5f55e41a8867c63db9d07b3ec8",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
},
{
"lessThan": "cbda93665a3857324f5c79e45769a83c78183199",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
},
{
"lessThan": "fb3ef6a5af4b003502c940ea50c0f55b06ebbfc9",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
},
{
"lessThan": "5836947613ef33d311b4eff6a32d019580a214f5",
"status": "affected",
"version": "3c9059d79f5eea6b8b75ddac97693127c3c41db4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/52xx: Fix a resource leak in an error handling path\n\nThe error handling path of mpc52xx_lpbfifo_probe() has a request_irq()\nthat is not balanced by a corresponding free_irq().\n\nAdd the missing call, as already done in the remove function."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:34.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be9caf2c936f15a9c3f9111e62bdde6357312f90"
},
{
"url": "https://git.kernel.org/stable/c/f4ad0a7f0e78d65d38921ab2bef234e49be78b10"
},
{
"url": "https://git.kernel.org/stable/c/e4002f293e5b44e57d2930513cca0dff32249812"
},
{
"url": "https://git.kernel.org/stable/c/9bf842ffdd216b9f94d5b051b5d8b815f2426538"
},
{
"url": "https://git.kernel.org/stable/c/40b4be399e0db7073dec5a0de5ca9994f7e31e58"
},
{
"url": "https://git.kernel.org/stable/c/0accd460dc7bbe5f55e41a8867c63db9d07b3ec8"
},
{
"url": "https://git.kernel.org/stable/c/cbda93665a3857324f5c79e45769a83c78183199"
},
{
"url": "https://git.kernel.org/stable/c/fb3ef6a5af4b003502c940ea50c0f55b06ebbfc9"
},
{
"url": "https://git.kernel.org/stable/c/5836947613ef33d311b4eff6a32d019580a214f5"
}
],
"title": "powerpc/52xx: Fix a resource leak in an error handling path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50463",
"datePublished": "2025-10-01T11:45:34.858Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:34.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53462 (GCVE-0-2023-53462)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hsr: Fix uninit-value access in fill_frame_info()
Syzbot reports the following uninit-value access problem.
=====================================================
BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline]
BUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
fill_frame_info net/hsr/hsr_forward.c:601 [inline]
hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223
__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
netdev_start_xmit include/linux/netdevice.h:4903 [inline]
xmit_one net/core/dev.c:3544 [inline]
dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560
__dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340
dev_queue_xmit include/linux/netdevice.h:3082 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3087 [inline]
packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
__sys_sendto+0x781/0xa30 net/socket.c:2176
__do_sys_sendto net/socket.c:2188 [inline]
__se_sys_sendto net/socket.c:2184 [inline]
__ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
Uninit was created at:
slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559
__alloc_skb+0x318/0x740 net/core/skbuff.c:644
alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299
sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794
packet_alloc_skb net/packet/af_packet.c:2936 [inline]
packet_snd net/packet/af_packet.c:3030 [inline]
packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
__sys_sendto+0x781/0xa30 net/socket.c:2176
__do_sys_sendto net/socket.c:2188 [inline]
__se_sys_sendto net/socket.c:2184 [inline]
__ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
It is because VLAN not yet supported in hsr driver. Return error
when protocol is ETH_P_8021Q in fill_frame_info() now to fix it.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 451d8123f89791bb628277c0bdb4cae34a3563e6 Version: 451d8123f89791bb628277c0bdb4cae34a3563e6 Version: 451d8123f89791bb628277c0bdb4cae34a3563e6 Version: 451d8123f89791bb628277c0bdb4cae34a3563e6 Version: 451d8123f89791bb628277c0bdb4cae34a3563e6 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e90a93ac4845c31724ec5dc96fb51e608435a9d",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
},
{
"lessThan": "6a4480c5e6ebaf9f797ac300e2a97a02d4e70cfd",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
},
{
"lessThan": "61866f7d814e5792bf47410d7d3ff32e49bd292a",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
},
{
"lessThan": "ed7a0ba7e840dc5d54cdbd8466be27e6aedce1e5",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
},
{
"lessThan": "484b4833c604c0adcf19eac1ca14b60b757355b5",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Fix uninit-value access in fill_frame_info()\n\nSyzbot reports the following uninit-value access problem.\n\n=====================================================\nBUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline]\nBUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616\n fill_frame_info net/hsr/hsr_forward.c:601 [inline]\n hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616\n hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4889 [inline]\n netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n xmit_one net/core/dev.c:3544 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560\n __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340\n dev_queue_xmit include/linux/netdevice.h:3082 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n __sys_sendto+0x781/0xa30 net/socket.c:2176\n __do_sys_sendto net/socket.c:2188 [inline]\n __se_sys_sendto net/socket.c:2184 [inline]\n __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:644\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n __sys_sendto+0x781/0xa30 net/socket.c:2176\n __do_sys_sendto net/socket.c:2188 [inline]\n __se_sys_sendto net/socket.c:2184 [inline]\n __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nIt is because VLAN not yet supported in hsr driver. Return error\nwhen protocol is ETH_P_8021Q in fill_frame_info() now to fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:33.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e90a93ac4845c31724ec5dc96fb51e608435a9d"
},
{
"url": "https://git.kernel.org/stable/c/6a4480c5e6ebaf9f797ac300e2a97a02d4e70cfd"
},
{
"url": "https://git.kernel.org/stable/c/61866f7d814e5792bf47410d7d3ff32e49bd292a"
},
{
"url": "https://git.kernel.org/stable/c/ed7a0ba7e840dc5d54cdbd8466be27e6aedce1e5"
},
{
"url": "https://git.kernel.org/stable/c/484b4833c604c0adcf19eac1ca14b60b757355b5"
}
],
"title": "hsr: Fix uninit-value access in fill_frame_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53462",
"datePublished": "2025-10-01T11:42:33.434Z",
"dateReserved": "2025-10-01T11:39:39.399Z",
"dateUpdated": "2025-10-01T11:42:33.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53527 (GCVE-0-2023-53527)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Fix memory leak in tb_handle_dp_bandwidth_request()
The memory allocated in tb_queue_dp_bandwidth_request() needs to be
released once the request is handled to avoid leaking it.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/tb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0752bb32aed2c5dd85821195a507a1079c4835f7",
"status": "affected",
"version": "6ce3563520be90a155706bafc186fc264a13850e",
"versionType": "git"
},
{
"lessThan": "596a5123cc782d458b057eb3837e66535cd0befa",
"status": "affected",
"version": "6ce3563520be90a155706bafc186fc264a13850e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/tb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix memory leak in tb_handle_dp_bandwidth_request()\n\nThe memory allocated in tb_queue_dp_bandwidth_request() needs to be\nreleased once the request is handled to avoid leaking it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:12.696Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0752bb32aed2c5dd85821195a507a1079c4835f7"
},
{
"url": "https://git.kernel.org/stable/c/596a5123cc782d458b057eb3837e66535cd0befa"
}
],
"title": "thunderbolt: Fix memory leak in tb_handle_dp_bandwidth_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53527",
"datePublished": "2025-10-01T11:46:12.696Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-01T11:46:12.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50469 (GCVE-0-2022-50469)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()
In rtw_init_drv_sw(), there are various init functions are called to
populate the padapter structure and some checks for their return value.
However, except for the first one error path, the other five error paths
do not properly release the previous allocated resources, which leads to
various memory leaks.
This patch fixes them and keeps the success and error separate.
Note that these changes keep the form of `rtw_init_drv_sw()` in
"drivers/staging/r8188eu/os_dep/os_intfs.c". As there is no proper device
to test with, no runtime testing was performed.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/os_dep/os_intfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4573a2bad3c3e2643ef3939079eb7035a30e6ee",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "6b2052b365f8035ab7f09ac24b5b499002b298cb",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d95d1526d9f06978c1a7186810a5490d72c62742",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "5a5aa9cce621e2c0e25a1e5d72d6be1749167cc0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/os_dep/os_intfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()\n\nIn rtw_init_drv_sw(), there are various init functions are called to\npopulate the padapter structure and some checks for their return value.\nHowever, except for the first one error path, the other five error paths\ndo not properly release the previous allocated resources, which leads to\nvarious memory leaks.\n\nThis patch fixes them and keeps the success and error separate.\nNote that these changes keep the form of `rtw_init_drv_sw()` in\n\"drivers/staging/r8188eu/os_dep/os_intfs.c\". As there is no proper device\nto test with, no runtime testing was performed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:18.862Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4573a2bad3c3e2643ef3939079eb7035a30e6ee"
},
{
"url": "https://git.kernel.org/stable/c/6b2052b365f8035ab7f09ac24b5b499002b298cb"
},
{
"url": "https://git.kernel.org/stable/c/d95d1526d9f06978c1a7186810a5490d72c62742"
},
{
"url": "https://git.kernel.org/stable/c/5a5aa9cce621e2c0e25a1e5d72d6be1749167cc0"
}
],
"title": "staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50469",
"datePublished": "2025-10-01T11:45:39.811Z",
"dateReserved": "2025-10-01T11:38:45.642Z",
"dateUpdated": "2025-10-02T07:04:18.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53448 (GCVE-0-2023-53448)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: imxfb: Removed unneeded release_mem_region
Remove unnecessary release_mem_region from the error path to prevent
mem region from being released twice, which could avoid resource leak
or other unexpected issues.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/imxfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6aa851f6276fa08cd59b044bc2b803c49edf58a2",
"status": "affected",
"version": "b083c22d51148f3d3028291343196471be5d9f36",
"versionType": "git"
},
{
"lessThan": "38282a92c30422836d49e519bd109237f86a0888",
"status": "affected",
"version": "b083c22d51148f3d3028291343196471be5d9f36",
"versionType": "git"
},
{
"lessThan": "45fcc058a75bf5d65cf4c32da44a252fbe873cd4",
"status": "affected",
"version": "b083c22d51148f3d3028291343196471be5d9f36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/imxfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imxfb: Removed unneeded release_mem_region\n\nRemove unnecessary release_mem_region from the error path to prevent\nmem region from being released twice, which could avoid resource leak\nor other unexpected issues."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:20.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6aa851f6276fa08cd59b044bc2b803c49edf58a2"
},
{
"url": "https://git.kernel.org/stable/c/38282a92c30422836d49e519bd109237f86a0888"
},
{
"url": "https://git.kernel.org/stable/c/45fcc058a75bf5d65cf4c32da44a252fbe873cd4"
}
],
"title": "fbdev: imxfb: Removed unneeded release_mem_region",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53448",
"datePublished": "2025-10-01T11:42:20.557Z",
"dateReserved": "2025-09-17T14:54:09.753Z",
"dateUpdated": "2025-10-01T11:42:20.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53482 (GCVE-0-2023-53482)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu: Fix error unwind in iommu_group_alloc()
If either iommu_group_grate_file() fails then the
iommu_group is leaked.
Destroy it on these error paths.
Found by kselftest/iommu/iommufd_fail_nth
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f119ef452e2d82d912797273cb790a86f1125b3e",
"status": "affected",
"version": "bc7d12b91bd35477fd650c4d72b61239de9d9066",
"versionType": "git"
},
{
"lessThan": "4c23124b45ee0aa895ed8d5d08871ae6b15ee336",
"status": "affected",
"version": "bc7d12b91bd35477fd650c4d72b61239de9d9066",
"versionType": "git"
},
{
"lessThan": "8602fa38a63fc689eca29c8c586fac2d8a1f8739",
"status": "affected",
"version": "bc7d12b91bd35477fd650c4d72b61239de9d9066",
"versionType": "git"
},
{
"lessThan": "4daa861174d56023c2068ddb03de0752f07fa199",
"status": "affected",
"version": "bc7d12b91bd35477fd650c4d72b61239de9d9066",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix error unwind in iommu_group_alloc()\n\nIf either iommu_group_grate_file() fails then the\niommu_group is leaked.\n\nDestroy it on these error paths.\n\nFound by kselftest/iommu/iommufd_fail_nth"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:50.800Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f119ef452e2d82d912797273cb790a86f1125b3e"
},
{
"url": "https://git.kernel.org/stable/c/4c23124b45ee0aa895ed8d5d08871ae6b15ee336"
},
{
"url": "https://git.kernel.org/stable/c/8602fa38a63fc689eca29c8c586fac2d8a1f8739"
},
{
"url": "https://git.kernel.org/stable/c/4daa861174d56023c2068ddb03de0752f07fa199"
}
],
"title": "iommu: Fix error unwind in iommu_group_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53482",
"datePublished": "2025-10-01T11:42:50.800Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:50.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53460 (GCVE-0-2023-53460)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: fix memory leak in rtw_usb_probe()
drivers/net/wireless/realtek/rtw88/usb.c:876 rtw_usb_probe()
warn: 'hw' from ieee80211_alloc_hw() not released on lines: 811
Fix this by modifying return to a goto statement.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cc92379b80af005e1f49ef6ef790cddc58cf0da",
"status": "affected",
"version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
"versionType": "git"
},
{
"lessThan": "48181d285623198c33bb9698992502687b258efa",
"status": "affected",
"version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix memory leak in rtw_usb_probe()\n\ndrivers/net/wireless/realtek/rtw88/usb.c:876 rtw_usb_probe()\nwarn: \u0027hw\u0027 from ieee80211_alloc_hw() not released on lines: 811\n\nFix this by modifying return to a goto statement."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:21.343Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cc92379b80af005e1f49ef6ef790cddc58cf0da"
},
{
"url": "https://git.kernel.org/stable/c/48181d285623198c33bb9698992502687b258efa"
}
],
"title": "wifi: rtw88: fix memory leak in rtw_usb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53460",
"datePublished": "2025-10-01T11:42:31.620Z",
"dateReserved": "2025-10-01T11:39:39.399Z",
"dateUpdated": "2025-10-02T07:04:21.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53493 (GCVE-0-2023-53493)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: tighten bounds checking in decode_message()
Copy the bounds checking from encode_message() to decode_message().
This patch addresses the following concerns. Ensure that there is
enough space for at least one header so that we don't have a negative
size later.
if (msg_hdr_len < sizeof(*trans_hdr))
Ensure that we have enough space to read the next header from the
msg->data.
if (msg_len > msg_hdr_len - sizeof(*trans_hdr))
return -EINVAL;
Check that the trans_hdr->len is not below the minimum size:
if (hdr_len < sizeof(*trans_hdr))
This minimum check ensures that we don't corrupt memory in
decode_passthrough() when we do.
memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr));
And finally, use size_add() to prevent an integer overflow:
if (size_add(msg_len, hdr_len) > msg_hdr_len)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57d14cb3bae4619ce2fb5235cb318c3d5d8f53fd",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
},
{
"lessThan": "51b56382ed2a2b03347372272362b3baa623ed1e",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: tighten bounds checking in decode_message()\n\nCopy the bounds checking from encode_message() to decode_message().\n\nThis patch addresses the following concerns. Ensure that there is\nenough space for at least one header so that we don\u0027t have a negative\nsize later.\n\n\tif (msg_hdr_len \u003c sizeof(*trans_hdr))\n\nEnsure that we have enough space to read the next header from the\nmsg-\u003edata.\n\n\tif (msg_len \u003e msg_hdr_len - sizeof(*trans_hdr))\n\t\treturn -EINVAL;\n\nCheck that the trans_hdr-\u003elen is not below the minimum size:\n\n\tif (hdr_len \u003c sizeof(*trans_hdr))\n\nThis minimum check ensures that we don\u0027t corrupt memory in\ndecode_passthrough() when we do.\n\n\tmemcpy(out_trans-\u003edata, in_trans-\u003edata, len - sizeof(in_trans-\u003ehdr));\n\nAnd finally, use size_add() to prevent an integer overflow:\n\n\tif (size_add(msg_len, hdr_len) \u003e msg_hdr_len)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:44.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57d14cb3bae4619ce2fb5235cb318c3d5d8f53fd"
},
{
"url": "https://git.kernel.org/stable/c/51b56382ed2a2b03347372272362b3baa623ed1e"
}
],
"title": "accel/qaic: tighten bounds checking in decode_message()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53493",
"datePublished": "2025-10-01T11:45:44.939Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:44.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53474 (GCVE-0-2023-53474)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/MCE/AMD: Use an u64 for bank_map
Thee maximum number of MCA banks is 64 (MAX_NR_BANKS), see
a0bc32b3cacf ("x86/mce: Increase maximum number of banks to 64").
However, the bank_map which contains a bitfield of which banks to
initialize is of type unsigned int and that overflows when those bit
numbers are >= 32, leading to UBSAN complaining correctly:
UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38
shift exponent 32 is too large for 32-bit type 'int'
Change the bank_map to a u64 and use the proper BIT_ULL() macro when
modifying bits in there.
[ bp: Rewrite commit message. ]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: a0bc32b3cacf194dc479b342f006203fd1e1941a Version: a0bc32b3cacf194dc479b342f006203fd1e1941a Version: a0bc32b3cacf194dc479b342f006203fd1e1941a Version: a0bc32b3cacf194dc479b342f006203fd1e1941a Version: a0bc32b3cacf194dc479b342f006203fd1e1941a Version: a0bc32b3cacf194dc479b342f006203fd1e1941a |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/mce/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9b9ea0e63a0ec5e97bf1219ab6dcbd55e362f83",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "11c58a0c1937c157dbdf82d5ab634d68c99f3098",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "ba8ffb1251eb629c2ec35220e3896cf4f7b888a7",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "9669fa17287c3af2bbd4868d4c8fdd9e57f8332e",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "67bb7521b6420d81dab7538c0686f18f7d6d09f4",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "4c1cdec319b9aadb65737c3eb1f5cb74bd6aa156",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/mce/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/MCE/AMD: Use an u64 for bank_map\n\nThee maximum number of MCA banks is 64 (MAX_NR_BANKS), see\n\n a0bc32b3cacf (\"x86/mce: Increase maximum number of banks to 64\").\n\nHowever, the bank_map which contains a bitfield of which banks to\ninitialize is of type unsigned int and that overflows when those bit\nnumbers are \u003e= 32, leading to UBSAN complaining correctly:\n\n UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38\n shift exponent 32 is too large for 32-bit type \u0027int\u0027\n\nChange the bank_map to a u64 and use the proper BIT_ULL() macro when\nmodifying bits in there.\n\n [ bp: Rewrite commit message. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:43.798Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9b9ea0e63a0ec5e97bf1219ab6dcbd55e362f83"
},
{
"url": "https://git.kernel.org/stable/c/11c58a0c1937c157dbdf82d5ab634d68c99f3098"
},
{
"url": "https://git.kernel.org/stable/c/ba8ffb1251eb629c2ec35220e3896cf4f7b888a7"
},
{
"url": "https://git.kernel.org/stable/c/9669fa17287c3af2bbd4868d4c8fdd9e57f8332e"
},
{
"url": "https://git.kernel.org/stable/c/67bb7521b6420d81dab7538c0686f18f7d6d09f4"
},
{
"url": "https://git.kernel.org/stable/c/4c1cdec319b9aadb65737c3eb1f5cb74bd6aa156"
}
],
"title": "x86/MCE/AMD: Use an u64 for bank_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53474",
"datePublished": "2025-10-01T11:42:43.798Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:43.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50437 (GCVE-0-2022-50437)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/hdmi: fix memory corruption with too many bridges
Add the missing sanity check on the bridge counter to avoid corrupting
data beyond the fixed-sized bridge array in case there are ever more
than eight bridges.
Patchwork: https://patchwork.freedesktop.org/patch/502670/
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: a3376e3ec81c5dd0622cbc187db76d2824d31c1c Version: a3376e3ec81c5dd0622cbc187db76d2824d31c1c Version: a3376e3ec81c5dd0622cbc187db76d2824d31c1c Version: a3376e3ec81c5dd0622cbc187db76d2824d31c1c Version: a3376e3ec81c5dd0622cbc187db76d2824d31c1c Version: a3376e3ec81c5dd0622cbc187db76d2824d31c1c Version: a3376e3ec81c5dd0622cbc187db76d2824d31c1c Version: a3376e3ec81c5dd0622cbc187db76d2824d31c1c |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9c1a6991a9b5aa6d0f2cbc9b8c3bf6c4d094dfa",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "e8f916b84e4b028ecad6c6472eaad543cc7df806",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "3c43f3ec731c233eb84b66199ee76dbf3ec6ecae",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "ed7f1ff87a4afea1bc220d2ff00a7ce8e61f0b53",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "08c7375fa27a8ceee028868e03ffb3a0db919d44",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "b48949ab451eaf1e2c04c272c8a9a96a2b56546f",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "9efb45b45ff6254bfd1f1997a06725cb3fc998a5",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "4c1294da6aed1f16d47a417dcfe6602833c3c95c",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/hdmi: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502670/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:14.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9c1a6991a9b5aa6d0f2cbc9b8c3bf6c4d094dfa"
},
{
"url": "https://git.kernel.org/stable/c/e8f916b84e4b028ecad6c6472eaad543cc7df806"
},
{
"url": "https://git.kernel.org/stable/c/3c43f3ec731c233eb84b66199ee76dbf3ec6ecae"
},
{
"url": "https://git.kernel.org/stable/c/ed7f1ff87a4afea1bc220d2ff00a7ce8e61f0b53"
},
{
"url": "https://git.kernel.org/stable/c/08c7375fa27a8ceee028868e03ffb3a0db919d44"
},
{
"url": "https://git.kernel.org/stable/c/b48949ab451eaf1e2c04c272c8a9a96a2b56546f"
},
{
"url": "https://git.kernel.org/stable/c/9efb45b45ff6254bfd1f1997a06725cb3fc998a5"
},
{
"url": "https://git.kernel.org/stable/c/4c1294da6aed1f16d47a417dcfe6602833c3c95c"
}
],
"title": "drm/msm/hdmi: fix memory corruption with too many bridges",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50437",
"datePublished": "2025-10-01T11:42:14.400Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:14.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50439 (GCVE-0-2022-50439)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8173: Enable IRQ when pdata is ready
If the device does not come straight from reset, we might receive an IRQ
before we are ready to handle it.
[ 2.334737] Unable to handle kernel read from unreadable memory at virtual address 00000000000001e4
[ 2.522601] Call trace:
[ 2.525040] regmap_read+0x1c/0x80
[ 2.528434] mt8173_afe_irq_handler+0x40/0xf0
...
[ 2.598921] start_kernel+0x338/0x42c
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: ee0bcaff109f36d582df9851f204c9a5eb79c028 Version: ee0bcaff109f36d582df9851f204c9a5eb79c028 Version: ee0bcaff109f36d582df9851f204c9a5eb79c028 Version: ee0bcaff109f36d582df9851f204c9a5eb79c028 Version: ee0bcaff109f36d582df9851f204c9a5eb79c028 Version: ee0bcaff109f36d582df9851f204c9a5eb79c028 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8173/mt8173-afe-pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "190685ff4ee03eef8f12c71d8f626e414fa078a9",
"status": "affected",
"version": "ee0bcaff109f36d582df9851f204c9a5eb79c028",
"versionType": "git"
},
{
"lessThan": "57491967ad8f865a9a81d08c36b26facd14d84e5",
"status": "affected",
"version": "ee0bcaff109f36d582df9851f204c9a5eb79c028",
"versionType": "git"
},
{
"lessThan": "27e7cf595d4a9fea9d3906b47d0faa87896beeb3",
"status": "affected",
"version": "ee0bcaff109f36d582df9851f204c9a5eb79c028",
"versionType": "git"
},
{
"lessThan": "9ce9c78a2bdbc9a014e7102a35834310c28528b9",
"status": "affected",
"version": "ee0bcaff109f36d582df9851f204c9a5eb79c028",
"versionType": "git"
},
{
"lessThan": "77c6b6be7e80ca4a4d4b66b63fd5bb48ccefdd5a",
"status": "affected",
"version": "ee0bcaff109f36d582df9851f204c9a5eb79c028",
"versionType": "git"
},
{
"lessThan": "4cbb264d4e9136acab2c8fd39e39ab1b1402b84b",
"status": "affected",
"version": "ee0bcaff109f36d582df9851f204c9a5eb79c028",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8173/mt8173-afe-pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8173: Enable IRQ when pdata is ready\n\nIf the device does not come straight from reset, we might receive an IRQ\nbefore we are ready to handle it.\n\n\n[ 2.334737] Unable to handle kernel read from unreadable memory at virtual address 00000000000001e4\n[ 2.522601] Call trace:\n[ 2.525040] regmap_read+0x1c/0x80\n[ 2.528434] mt8173_afe_irq_handler+0x40/0xf0\n...\n[ 2.598921] start_kernel+0x338/0x42c"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:15.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/190685ff4ee03eef8f12c71d8f626e414fa078a9"
},
{
"url": "https://git.kernel.org/stable/c/57491967ad8f865a9a81d08c36b26facd14d84e5"
},
{
"url": "https://git.kernel.org/stable/c/27e7cf595d4a9fea9d3906b47d0faa87896beeb3"
},
{
"url": "https://git.kernel.org/stable/c/9ce9c78a2bdbc9a014e7102a35834310c28528b9"
},
{
"url": "https://git.kernel.org/stable/c/77c6b6be7e80ca4a4d4b66b63fd5bb48ccefdd5a"
},
{
"url": "https://git.kernel.org/stable/c/4cbb264d4e9136acab2c8fd39e39ab1b1402b84b"
}
],
"title": "ASoC: mediatek: mt8173: Enable IRQ when pdata is ready",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50439",
"datePublished": "2025-10-01T11:42:15.829Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:15.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53531 (GCVE-0-2023-53531)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
null_blk: fix poll request timeout handling
When doing io_uring benchmark on /dev/nullb0, it's easy to crash the
kernel if poll requests timeout triggered, as reported by David. [1]
BUG: kernel NULL pointer dereference, address: 0000000000000008
Workqueue: kblockd blk_mq_timeout_work
RIP: 0010:null_timeout_rq+0x4e/0x91
Call Trace:
? null_timeout_rq+0x4e/0x91
blk_mq_handle_expired+0x31/0x4b
bt_iter+0x68/0x84
? bt_tags_iter+0x81/0x81
__sbitmap_for_each_set.constprop.0+0xb0/0xf2
? __blk_mq_complete_request_remote+0xf/0xf
bt_for_each+0x46/0x64
? __blk_mq_complete_request_remote+0xf/0xf
? percpu_ref_get_many+0xc/0x2a
blk_mq_queue_tag_busy_iter+0x14d/0x18e
blk_mq_timeout_work+0x95/0x127
process_one_work+0x185/0x263
worker_thread+0x1b5/0x227
This is indeed a race problem between null_timeout_rq() and null_poll().
null_poll() null_timeout_rq()
spin_lock(&nq->poll_lock)
list_splice_init(&nq->poll_list, &list)
spin_unlock(&nq->poll_lock)
while (!list_empty(&list))
req = list_first_entry()
list_del_init()
...
blk_mq_add_to_batch()
// req->rq_next = NULL
spin_lock(&nq->poll_lock)
// rq->queuelist->next == NULL
list_del_init(&rq->queuelist)
spin_unlock(&nq->poll_lock)
Fix these problems by setting requests state to MQ_RQ_COMPLETE under
nq->poll_lock protection, in which null_timeout_rq() can safely detect
this race and early return.
Note this patch just fix the kernel panic when request timeout happen.
[1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a0b4a0666beacfe8add9c71d8922475541dbae73",
"status": "affected",
"version": "0a593fbbc245a85940ed34caa3aa1e4cb060c54b",
"versionType": "git"
},
{
"lessThan": "a7cb2e709f2927cc3c76781df3e45de2381b3b9d",
"status": "affected",
"version": "0a593fbbc245a85940ed34caa3aa1e4cb060c54b",
"versionType": "git"
},
{
"lessThan": "5a26e45edb4690d58406178b5a9ea4c6dcf2c105",
"status": "affected",
"version": "0a593fbbc245a85940ed34caa3aa1e4cb060c54b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix poll request timeout handling\n\nWhen doing io_uring benchmark on /dev/nullb0, it\u0027s easy to crash the\nkernel if poll requests timeout triggered, as reported by David. [1]\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nWorkqueue: kblockd blk_mq_timeout_work\nRIP: 0010:null_timeout_rq+0x4e/0x91\nCall Trace:\n ? null_timeout_rq+0x4e/0x91\n blk_mq_handle_expired+0x31/0x4b\n bt_iter+0x68/0x84\n ? bt_tags_iter+0x81/0x81\n __sbitmap_for_each_set.constprop.0+0xb0/0xf2\n ? __blk_mq_complete_request_remote+0xf/0xf\n bt_for_each+0x46/0x64\n ? __blk_mq_complete_request_remote+0xf/0xf\n ? percpu_ref_get_many+0xc/0x2a\n blk_mq_queue_tag_busy_iter+0x14d/0x18e\n blk_mq_timeout_work+0x95/0x127\n process_one_work+0x185/0x263\n worker_thread+0x1b5/0x227\n\nThis is indeed a race problem between null_timeout_rq() and null_poll().\n\nnull_poll()\t\t\t\tnull_timeout_rq()\n spin_lock(\u0026nq-\u003epoll_lock)\n list_splice_init(\u0026nq-\u003epoll_list, \u0026list)\n spin_unlock(\u0026nq-\u003epoll_lock)\n\n while (!list_empty(\u0026list))\n req = list_first_entry()\n list_del_init()\n ...\n blk_mq_add_to_batch()\n // req-\u003erq_next = NULL\n\t\t\t\t\tspin_lock(\u0026nq-\u003epoll_lock)\n\n\t\t\t\t\t// rq-\u003equeuelist-\u003enext == NULL\n\t\t\t\t\tlist_del_init(\u0026rq-\u003equeuelist)\n\n\t\t\t\t\tspin_unlock(\u0026nq-\u003epoll_lock)\n\nFix these problems by setting requests state to MQ_RQ_COMPLETE under\nnq-\u003epoll_lock protection, in which null_timeout_rq() can safely detect\nthis race and early return.\n\nNote this patch just fix the kernel panic when request timeout happen.\n\n[1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:15.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0b4a0666beacfe8add9c71d8922475541dbae73"
},
{
"url": "https://git.kernel.org/stable/c/a7cb2e709f2927cc3c76781df3e45de2381b3b9d"
},
{
"url": "https://git.kernel.org/stable/c/5a26e45edb4690d58406178b5a9ea4c6dcf2c105"
}
],
"title": "null_blk: fix poll request timeout handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53531",
"datePublished": "2025-10-01T11:46:15.949Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-01T11:46:15.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53472 (GCVE-0-2023-53472)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pwm: lpc32xx: Remove handling of PWM channels
Because LPC32xx PWM controllers have only a single output which is
registered as the only PWM device/channel per controller, it is known in
advance that pwm->hwpwm value is always 0. On basis of this fact
simplify the code by removing operations with pwm->hwpwm, there is no
controls which require channel number as input.
Even though I wasn't aware at the time when I forward ported that patch,
this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL
before devm_pwmchip_add() is called.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: bb4de81eb940e7027f37a6fd3b7ddcb4403deb56 Version: 4459118977665f681017e1299933895d54b6e87b Version: 81e6b51709da162b94e40a445bb60856406beaa1 Version: 322b70b522abe03cd59712bb47a72eddd835d19d Version: 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Version: 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Version: 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Version: 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Version: 7fc2172ad4e701d3c6e7dcb7b2efd8df71d2417b Version: 1c90a357cef4219cb436e59cc7463888103e104b |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-lpc32xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abd9b2ee4047ccd980decbf26d61f9637604b1d5",
"status": "affected",
"version": "bb4de81eb940e7027f37a6fd3b7ddcb4403deb56",
"versionType": "git"
},
{
"lessThan": "a9a505f5b39d8fff1a55963a5e524c84639e98b2",
"status": "affected",
"version": "4459118977665f681017e1299933895d54b6e87b",
"versionType": "git"
},
{
"lessThan": "04301da4d87067a989f70ee56942bf9d97cd2a45",
"status": "affected",
"version": "81e6b51709da162b94e40a445bb60856406beaa1",
"versionType": "git"
},
{
"lessThan": "a2d9d884e84bfd37892219b1f55847f36d8e9901",
"status": "affected",
"version": "322b70b522abe03cd59712bb47a72eddd835d19d",
"versionType": "git"
},
{
"lessThan": "5e22217c11424ef958ba28d03ff7167b4d7a8914",
"status": "affected",
"version": "3d2813fb17e5fd0d73c1d1442ca0192bde4af10e",
"versionType": "git"
},
{
"lessThan": "523f6268e86552a048975749251184c4e9a4b38f",
"status": "affected",
"version": "3d2813fb17e5fd0d73c1d1442ca0192bde4af10e",
"versionType": "git"
},
{
"lessThan": "e3a0ddbaf7f1f9ffc070718b417461ced3268758",
"status": "affected",
"version": "3d2813fb17e5fd0d73c1d1442ca0192bde4af10e",
"versionType": "git"
},
{
"lessThan": "4aae44f65827f0213a7361cf9c32cfe06114473f",
"status": "affected",
"version": "3d2813fb17e5fd0d73c1d1442ca0192bde4af10e",
"versionType": "git"
},
{
"status": "affected",
"version": "7fc2172ad4e701d3c6e7dcb7b2efd8df71d2417b",
"versionType": "git"
},
{
"status": "affected",
"version": "1c90a357cef4219cb436e59cc7463888103e104b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-lpc32xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14.248",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19.208",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.4.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.10.69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: lpc32xx: Remove handling of PWM channels\n\nBecause LPC32xx PWM controllers have only a single output which is\nregistered as the only PWM device/channel per controller, it is known in\nadvance that pwm-\u003ehwpwm value is always 0. On basis of this fact\nsimplify the code by removing operations with pwm-\u003ehwpwm, there is no\ncontrols which require channel number as input.\n\nEven though I wasn\u0027t aware at the time when I forward ported that patch,\nthis fixes a null pointer dereference as lpc32xx-\u003echip.pwms is NULL\nbefore devm_pwmchip_add() is called."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:41.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abd9b2ee4047ccd980decbf26d61f9637604b1d5"
},
{
"url": "https://git.kernel.org/stable/c/a9a505f5b39d8fff1a55963a5e524c84639e98b2"
},
{
"url": "https://git.kernel.org/stable/c/04301da4d87067a989f70ee56942bf9d97cd2a45"
},
{
"url": "https://git.kernel.org/stable/c/a2d9d884e84bfd37892219b1f55847f36d8e9901"
},
{
"url": "https://git.kernel.org/stable/c/5e22217c11424ef958ba28d03ff7167b4d7a8914"
},
{
"url": "https://git.kernel.org/stable/c/523f6268e86552a048975749251184c4e9a4b38f"
},
{
"url": "https://git.kernel.org/stable/c/e3a0ddbaf7f1f9ffc070718b417461ced3268758"
},
{
"url": "https://git.kernel.org/stable/c/4aae44f65827f0213a7361cf9c32cfe06114473f"
}
],
"title": "pwm: lpc32xx: Remove handling of PWM channels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53472",
"datePublished": "2025-10-01T11:42:41.951Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:41.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53514 (GCVE-0-2023-53514)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpu: host1x: Fix memory leak of device names
The device names allocated by dev_set_name() need be freed
before module unloading, but they can not be freed because
the kobject's refcount which was set in device_initialize()
has not be decreased to 0.
As comment of device_add() says, if it fails, use only
put_device() drop the refcount, then the name will be
freed in kobejct_cleanup().
device_del() and put_device() can be replaced with
device_unregister(), so call it to unregister the added
successfully devices, and just call put_device() to the
not added device.
Add a release() function to device to avoid null release()
function WARNING in device_release(), it's empty, because
the context devices are freed together in
host1x_memory_context_list_free().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "958c6cbc32996c375af42db96ceba021a1959899",
"status": "affected",
"version": "8aa5bcb61612060429223d1fbb7a1c30a579fc1f",
"versionType": "git"
},
{
"lessThan": "dba1aeaaf3d0e2f996cb0a5609e5e85ecf405a5c",
"status": "affected",
"version": "8aa5bcb61612060429223d1fbb7a1c30a579fc1f",
"versionType": "git"
},
{
"lessThan": "3ab0f5ddb761270b11d8c90b8550a59666cfc9bb",
"status": "affected",
"version": "8aa5bcb61612060429223d1fbb7a1c30a579fc1f",
"versionType": "git"
},
{
"lessThan": "55879dad0f3ae8468444b42f785ad79eac05fe5b",
"status": "affected",
"version": "8aa5bcb61612060429223d1fbb7a1c30a579fc1f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix memory leak of device names\n\nThe device names allocated by dev_set_name() need be freed\nbefore module unloading, but they can not be freed because\nthe kobject\u0027s refcount which was set in device_initialize()\nhas not be decreased to 0.\n\nAs comment of device_add() says, if it fails, use only\nput_device() drop the refcount, then the name will be\nfreed in kobejct_cleanup().\n\ndevice_del() and put_device() can be replaced with\ndevice_unregister(), so call it to unregister the added\nsuccessfully devices, and just call put_device() to the\nnot added device.\n\nAdd a release() function to device to avoid null release()\nfunction WARNING in device_release(), it\u0027s empty, because\nthe context devices are freed together in\nhost1x_memory_context_list_free()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:02.393Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/958c6cbc32996c375af42db96ceba021a1959899"
},
{
"url": "https://git.kernel.org/stable/c/dba1aeaaf3d0e2f996cb0a5609e5e85ecf405a5c"
},
{
"url": "https://git.kernel.org/stable/c/3ab0f5ddb761270b11d8c90b8550a59666cfc9bb"
},
{
"url": "https://git.kernel.org/stable/c/55879dad0f3ae8468444b42f785ad79eac05fe5b"
}
],
"title": "gpu: host1x: Fix memory leak of device names",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53514",
"datePublished": "2025-10-01T11:46:02.393Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:02.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50458 (GCVE-0-2022-50458)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: tegra: Fix refcount leak in tegra210_clock_init
of_find_matching_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 Version: 6b301a059eb2ebed1b12a900e3b21a38e48dd410 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra210.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a19360db83d29bd6b0de4ffad2c815d79246ba99",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
},
{
"lessThan": "e715510adc20a4a07f157ece4e6d068e648a0383",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
},
{
"lessThan": "ac010ec3484ba95c6ab3d946f9a83560005c13c6",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
},
{
"lessThan": "6d3ac23b952f374017e1a5249d1f03bdbc7f9878",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
},
{
"lessThan": "f487137a53b1a0692211f7ae82c0a7f87c30bdbe",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
},
{
"lessThan": "417ed4432b1b40526b1cb50e535d46900505f6d9",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
},
{
"lessThan": "1a6d97139b0a370a9d0809a00e91c41f5bcd3ef1",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
},
{
"lessThan": "f38f34ba1e1029b927b81b9bf9d952f4ed4007bd",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
},
{
"lessThan": "56c78cb1f00a9dde8cd762131ce8f4c5eb046fbb",
"status": "affected",
"version": "6b301a059eb2ebed1b12a900e3b21a38e48dd410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra210.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: Fix refcount leak in tegra210_clock_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:30.959Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a19360db83d29bd6b0de4ffad2c815d79246ba99"
},
{
"url": "https://git.kernel.org/stable/c/e715510adc20a4a07f157ece4e6d068e648a0383"
},
{
"url": "https://git.kernel.org/stable/c/ac010ec3484ba95c6ab3d946f9a83560005c13c6"
},
{
"url": "https://git.kernel.org/stable/c/6d3ac23b952f374017e1a5249d1f03bdbc7f9878"
},
{
"url": "https://git.kernel.org/stable/c/f487137a53b1a0692211f7ae82c0a7f87c30bdbe"
},
{
"url": "https://git.kernel.org/stable/c/417ed4432b1b40526b1cb50e535d46900505f6d9"
},
{
"url": "https://git.kernel.org/stable/c/1a6d97139b0a370a9d0809a00e91c41f5bcd3ef1"
},
{
"url": "https://git.kernel.org/stable/c/f38f34ba1e1029b927b81b9bf9d952f4ed4007bd"
},
{
"url": "https://git.kernel.org/stable/c/56c78cb1f00a9dde8cd762131ce8f4c5eb046fbb"
}
],
"title": "clk: tegra: Fix refcount leak in tegra210_clock_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50458",
"datePublished": "2025-10-01T11:45:30.959Z",
"dateReserved": "2025-10-01T11:38:45.640Z",
"dateUpdated": "2025-10-01T11:45:30.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50461 (GCVE-0-2022-50461)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: ti: am65-cpsw: Fix PM runtime leakage in am65_cpsw_nuss_ndo_slave_open()
Ensure pm_runtime_put() is issued in error path.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/am65-cpsw-nuss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c14f5cf74c4995eaf284b496481866f012eba19",
"status": "affected",
"version": "93a76530316a3d8cc2d82c3deca48424fee92100",
"versionType": "git"
},
{
"lessThan": "a8846b3398600a632696b6cf79f8a44a107eb226",
"status": "affected",
"version": "93a76530316a3d8cc2d82c3deca48424fee92100",
"versionType": "git"
},
{
"lessThan": "5821504f5073983733465b8bc430049c4343bbd7",
"status": "affected",
"version": "93a76530316a3d8cc2d82c3deca48424fee92100",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/am65-cpsw-nuss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: Fix PM runtime leakage in am65_cpsw_nuss_ndo_slave_open()\n\nEnsure pm_runtime_put() is issued in error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:33.300Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c14f5cf74c4995eaf284b496481866f012eba19"
},
{
"url": "https://git.kernel.org/stable/c/a8846b3398600a632696b6cf79f8a44a107eb226"
},
{
"url": "https://git.kernel.org/stable/c/5821504f5073983733465b8bc430049c4343bbd7"
}
],
"title": "net: ethernet: ti: am65-cpsw: Fix PM runtime leakage in am65_cpsw_nuss_ndo_slave_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50461",
"datePublished": "2025-10-01T11:45:33.300Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:33.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53485 (GCVE-0-2023-53485)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev
Syzkaller reported the following issue:
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6
index -84 is out of range for type 's8[341]' (aka 'signed char[341]')
CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348
dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965
dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809
dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350
dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874
dtSplitUp fs/jfs/jfs_dtree.c:974 [inline]
dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863
jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137
lookup_open fs/namei.c:3492 [inline]
open_last_lookups fs/namei.c:3560 [inline]
path_openat+0x13df/0x3170 fs/namei.c:3788
do_filp_open+0x234/0x490 fs/namei.c:3818
do_sys_openat2+0x13f/0x500 fs/open.c:1356
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x247/0x290 fs/open.c:1383
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1f4e33f7e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9
RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
The bug occurs when the dbAllocDmapLev()function attempts to access
dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative.
To rectify this, the patch introduces a safeguard within the
dbAllocDmapLev() function. A check has been added to verify if leafidx is
negative. If it is, the function immediately returns an I/O error, preventing
any further execution that could potentially cause harm.
Tested via syzbot.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d9e678a82915633b99603f744e7735d1a673d72",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53b0a362aca2583729e8ca2936ca657ff3247d88",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e7d9d76e5654bcdd3cdb7c9441a8113428ecebb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "911b48eec45152822bccf45cd3563b48256b1520",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39f6292d75959e8accac0b3e24090094ba0824e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bdf07ab1595b613b03f32dbb5cb379edfa1a7334",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2af019091f904ca08b3572ab0111238ad6d17b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e302336d5ca1767a06beee7596a72d3bdc8d983",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev\n\nSyzkaller reported the following issue:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6\nindex -84 is out of range for type \u0027s8[341]\u0027 (aka \u0027signed char[341]\u0027)\nCPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965\n dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809\n dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350\n dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874\n dtSplitUp fs/jfs/jfs_dtree.c:974 [inline]\n dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863\n jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137\n lookup_open fs/namei.c:3492 [inline]\n open_last_lookups fs/namei.c:3560 [inline]\n path_openat+0x13df/0x3170 fs/namei.c:3788\n do_filp_open+0x234/0x490 fs/namei.c:3818\n do_sys_openat2+0x13f/0x500 fs/open.c:1356\n do_sys_open fs/open.c:1372 [inline]\n __do_sys_openat fs/open.c:1388 [inline]\n __se_sys_openat fs/open.c:1383 [inline]\n __x64_sys_openat+0x247/0x290 fs/open.c:1383\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f1f4e33f7e9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9\nRDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c\nRBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nThe bug occurs when the dbAllocDmapLev()function attempts to access\ndp-\u003etree.stree[leafidx + LEAFIND] while the leafidx value is negative.\n\nTo rectify this, the patch introduces a safeguard within the\ndbAllocDmapLev() function. A check has been added to verify if leafidx is\nnegative. If it is, the function immediately returns an I/O error, preventing\nany further execution that could potentially cause harm.\n\nTested via syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:53.337Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d9e678a82915633b99603f744e7735d1a673d72"
},
{
"url": "https://git.kernel.org/stable/c/53b0a362aca2583729e8ca2936ca657ff3247d88"
},
{
"url": "https://git.kernel.org/stable/c/6e7d9d76e5654bcdd3cdb7c9441a8113428ecebb"
},
{
"url": "https://git.kernel.org/stable/c/911b48eec45152822bccf45cd3563b48256b1520"
},
{
"url": "https://git.kernel.org/stable/c/39f6292d75959e8accac0b3e24090094ba0824e9"
},
{
"url": "https://git.kernel.org/stable/c/bdf07ab1595b613b03f32dbb5cb379edfa1a7334"
},
{
"url": "https://git.kernel.org/stable/c/f2af019091f904ca08b3572ab0111238ad6d17b3"
},
{
"url": "https://git.kernel.org/stable/c/4e302336d5ca1767a06beee7596a72d3bdc8d983"
}
],
"title": "fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53485",
"datePublished": "2025-10-01T11:42:53.337Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:53.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53518 (GCVE-0-2023-53518)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: Fix leak in devfreq_dev_release()
srcu_init_notifier_head() allocates resources that need to be released
with a srcu_cleanup_notifier_head() call.
Reported by kmemleak.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7462483446cb9986568ad7adae746ce5f18d2968",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "64e6e0dc2d578c0a9e31cb4edd719f0a3ed98f6d",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "29811f4b8255d4238cf326f3bb7129784766beab",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "ab192e5e5d3b48415909a8408acfd007a607bcc0",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "111bafa210ae546bee7644be730c42df9c35b66e",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "8918025feb2f5f7c73f2495c158f22997e25cb02",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "1640e9c72173911ad0fddb05012c01eafe082c4e",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "3354c401c68d70567d1ef25d12f4e22a7813a3c6",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "5693d077595de721f9ddbf9d37f40e5409707dfe",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Fix leak in devfreq_dev_release()\n\nsrcu_init_notifier_head() allocates resources that need to be released\nwith a srcu_cleanup_notifier_head() call.\n\nReported by kmemleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:05.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7462483446cb9986568ad7adae746ce5f18d2968"
},
{
"url": "https://git.kernel.org/stable/c/64e6e0dc2d578c0a9e31cb4edd719f0a3ed98f6d"
},
{
"url": "https://git.kernel.org/stable/c/29811f4b8255d4238cf326f3bb7129784766beab"
},
{
"url": "https://git.kernel.org/stable/c/ab192e5e5d3b48415909a8408acfd007a607bcc0"
},
{
"url": "https://git.kernel.org/stable/c/111bafa210ae546bee7644be730c42df9c35b66e"
},
{
"url": "https://git.kernel.org/stable/c/8918025feb2f5f7c73f2495c158f22997e25cb02"
},
{
"url": "https://git.kernel.org/stable/c/1640e9c72173911ad0fddb05012c01eafe082c4e"
},
{
"url": "https://git.kernel.org/stable/c/3354c401c68d70567d1ef25d12f4e22a7813a3c6"
},
{
"url": "https://git.kernel.org/stable/c/5693d077595de721f9ddbf9d37f40e5409707dfe"
}
],
"title": "PM / devfreq: Fix leak in devfreq_dev_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53518",
"datePublished": "2025-10-01T11:46:05.446Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:05.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53504 (GCVE-0-2023-53504)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF
ib_dealloc_device() should be called only after device cleanup. Fix the
dealloc sequence.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c95863f6d970ef968e7c1f3c481f72a4b0734654",
"status": "affected",
"version": "6d758147c7b80a46465f72e9e6294d244ee98a21",
"versionType": "git"
},
{
"lessThan": "5363fc488da579923edf6a2fdca3d3b651dd800b",
"status": "affected",
"version": "6d758147c7b80a46465f72e9e6294d244ee98a21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF\n\nib_dealloc_device() should be called only after device cleanup. Fix the\ndealloc sequence."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:54.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c95863f6d970ef968e7c1f3c481f72a4b0734654"
},
{
"url": "https://git.kernel.org/stable/c/5363fc488da579923edf6a2fdca3d3b651dd800b"
}
],
"title": "RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53504",
"datePublished": "2025-10-01T11:45:54.977Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:54.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50427 (GCVE-0-2022-50427)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()
If device_register() fails in snd_ac97_dev_register(), it should
call put_device() to give up reference, or the name allocated in
dev_set_name() is leaked.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 0ca06a00e206b963587ac471e6d1c52bf33b9a18 Version: 0ca06a00e206b963587ac471e6d1c52bf33b9a18 Version: 0ca06a00e206b963587ac471e6d1c52bf33b9a18 Version: 0ca06a00e206b963587ac471e6d1c52bf33b9a18 Version: 0ca06a00e206b963587ac471e6d1c52bf33b9a18 Version: 0ca06a00e206b963587ac471e6d1c52bf33b9a18 Version: 0ca06a00e206b963587ac471e6d1c52bf33b9a18 Version: 0ca06a00e206b963587ac471e6d1c52bf33b9a18 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/ac97/ac97_codec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a602ec9d88f177dba78bc97fb1adecc7a71ff279",
"status": "affected",
"version": "0ca06a00e206b963587ac471e6d1c52bf33b9a18",
"versionType": "git"
},
{
"lessThan": "0f8e9a15c8ecf95057061d370a2dddaf1cee4aeb",
"status": "affected",
"version": "0ca06a00e206b963587ac471e6d1c52bf33b9a18",
"versionType": "git"
},
{
"lessThan": "ee8bf0946f62ef00e5db4b613a9f664ac567259a",
"status": "affected",
"version": "0ca06a00e206b963587ac471e6d1c52bf33b9a18",
"versionType": "git"
},
{
"lessThan": "758dbcc6fbf2286eff02743b093c70a18a407d66",
"status": "affected",
"version": "0ca06a00e206b963587ac471e6d1c52bf33b9a18",
"versionType": "git"
},
{
"lessThan": "bfce73088682ef0770da951f51156c36a89be490",
"status": "affected",
"version": "0ca06a00e206b963587ac471e6d1c52bf33b9a18",
"versionType": "git"
},
{
"lessThan": "4fdf6f978c6b605ca0d67bf0e982b7a8fc0f4aab",
"status": "affected",
"version": "0ca06a00e206b963587ac471e6d1c52bf33b9a18",
"versionType": "git"
},
{
"lessThan": "c68b2e9ef246117f696e360bbdd2f5736b3a7127",
"status": "affected",
"version": "0ca06a00e206b963587ac471e6d1c52bf33b9a18",
"versionType": "git"
},
{
"lessThan": "4881bda5ea05c8c240fc8afeaa928e2bc43f61fa",
"status": "affected",
"version": "0ca06a00e206b963587ac471e6d1c52bf33b9a18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/ac97/ac97_codec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ac97: fix possible memory leak in snd_ac97_dev_register()\n\nIf device_register() fails in snd_ac97_dev_register(), it should\ncall put_device() to give up reference, or the name allocated in\ndev_set_name() is leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:06.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a602ec9d88f177dba78bc97fb1adecc7a71ff279"
},
{
"url": "https://git.kernel.org/stable/c/0f8e9a15c8ecf95057061d370a2dddaf1cee4aeb"
},
{
"url": "https://git.kernel.org/stable/c/ee8bf0946f62ef00e5db4b613a9f664ac567259a"
},
{
"url": "https://git.kernel.org/stable/c/758dbcc6fbf2286eff02743b093c70a18a407d66"
},
{
"url": "https://git.kernel.org/stable/c/bfce73088682ef0770da951f51156c36a89be490"
},
{
"url": "https://git.kernel.org/stable/c/4fdf6f978c6b605ca0d67bf0e982b7a8fc0f4aab"
},
{
"url": "https://git.kernel.org/stable/c/c68b2e9ef246117f696e360bbdd2f5736b3a7127"
},
{
"url": "https://git.kernel.org/stable/c/4881bda5ea05c8c240fc8afeaa928e2bc43f61fa"
}
],
"title": "ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50427",
"datePublished": "2025-10-01T11:42:06.365Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:42:06.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50451 (GCVE-0-2022-50451)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix memory leak on ntfs_fill_super() error path
syzbot reported kmemleak as below:
BUG: memory leak
unreferenced object 0xffff8880122f1540 (size 32):
comm "a.out", pid 6664, jiffies 4294939771 (age 25.500s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................
backtrace:
[<ffffffff81b16052>] ntfs_init_fs_context+0x22/0x1c0
[<ffffffff8164aaa7>] alloc_fs_context+0x217/0x430
[<ffffffff81626dd4>] path_mount+0x704/0x1080
[<ffffffff81627e7c>] __x64_sys_mount+0x18c/0x1d0
[<ffffffff84593e14>] do_syscall_64+0x34/0xb0
[<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
This patch fixes this issue by freeing mount options on error path of
ntfs_fill_super().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2dd9ccfb06bcdad30ad92d96c3affa38a458679e",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "ff0df7d9cdbb12878155168b5234e99029e5377f",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "2600c80ea7b39f987c3fa89287e73d62e322bbbd",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "51e76a232f8c037f1d9e9922edc25b003d5f3414",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix memory leak on ntfs_fill_super() error path\n\nsyzbot reported kmemleak as below:\n\nBUG: memory leak\nunreferenced object 0xffff8880122f1540 (size 32):\n comm \"a.out\", pid 6664, jiffies 4294939771 (age 25.500s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................\n backtrace:\n [\u003cffffffff81b16052\u003e] ntfs_init_fs_context+0x22/0x1c0\n [\u003cffffffff8164aaa7\u003e] alloc_fs_context+0x217/0x430\n [\u003cffffffff81626dd4\u003e] path_mount+0x704/0x1080\n [\u003cffffffff81627e7c\u003e] __x64_sys_mount+0x18c/0x1d0\n [\u003cffffffff84593e14\u003e] do_syscall_64+0x34/0xb0\n [\u003cffffffff84600087\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes this issue by freeing mount options on error path of\nntfs_fill_super()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:17.424Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2dd9ccfb06bcdad30ad92d96c3affa38a458679e"
},
{
"url": "https://git.kernel.org/stable/c/ff0df7d9cdbb12878155168b5234e99029e5377f"
},
{
"url": "https://git.kernel.org/stable/c/2600c80ea7b39f987c3fa89287e73d62e322bbbd"
},
{
"url": "https://git.kernel.org/stable/c/51e76a232f8c037f1d9e9922edc25b003d5f3414"
}
],
"title": "fs/ntfs3: Fix memory leak on ntfs_fill_super() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50451",
"datePublished": "2025-10-01T11:45:24.652Z",
"dateReserved": "2025-09-17T14:53:07.011Z",
"dateUpdated": "2025-10-02T07:04:17.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53532 (GCVE-0-2023-53532)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix deinitialization of firmware resources
Currently, in ath11k_ahb_fw_resources_init(), iommu domain
mapping is done only for the chipsets having fixed firmware
memory. Also, for such chipsets, mapping is done only if it
does not have TrustZone support.
During deinitialization, only if TrustZone support is not there,
iommu is unmapped back. However, for non fixed firmware memory
chipsets, TrustZone support is not there and this makes the
condition check to true and it tries to unmap the memory which
was not mapped during initialization.
This leads to the following trace -
[ 83.198790] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
[ 83.259537] Modules linked in: ath11k_ahb ath11k qmi_helpers
.. snip ..
[ 83.280286] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 83.287228] pc : __iommu_unmap+0x30/0x140
[ 83.293907] lr : iommu_unmap+0x5c/0xa4
[ 83.298072] sp : ffff80000b3abad0
.. snip ..
[ 83.369175] Call trace:
[ 83.376282] __iommu_unmap+0x30/0x140
[ 83.378541] iommu_unmap+0x5c/0xa4
[ 83.382360] ath11k_ahb_fw_resource_deinit.part.12+0x2c/0xac [ath11k_ahb]
[ 83.385666] ath11k_ahb_free_resources+0x140/0x17c [ath11k_ahb]
[ 83.392521] ath11k_ahb_shutdown+0x34/0x40 [ath11k_ahb]
[ 83.398248] platform_shutdown+0x20/0x2c
[ 83.403455] device_shutdown+0x16c/0x1c4
[ 83.407621] kernel_restart_prepare+0x34/0x3c
[ 83.411529] kernel_restart+0x14/0x74
[ 83.415781] __do_sys_reboot+0x1c4/0x22c
[ 83.419427] __arm64_sys_reboot+0x1c/0x24
[ 83.423420] invoke_syscall+0x44/0xfc
[ 83.427326] el0_svc_common.constprop.3+0xac/0xe8
[ 83.430974] do_el0_svc+0xa0/0xa8
[ 83.435659] el0_svc+0x1c/0x44
[ 83.438957] el0t_64_sync_handler+0x60/0x144
[ 83.441910] el0t_64_sync+0x15c/0x160
[ 83.446343] Code: aa0103f4 f9400001 f90027a1 d2800001 (f94006a0)
[ 83.449903] ---[ end trace 0000000000000000 ]---
This can be reproduced by probing an AHB chipset which is not
having a fixed memory region. During reboot (or rmmod) trace
can be seen.
Fix this issue by adding a condition check on firmware fixed memory
hw_param as done in the counter initialization function.
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/ahb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0324300dce3412d4737b4ec5898d0188495a7caa",
"status": "affected",
"version": "f9eec4947add999e1251bf14365a48a655b786a4",
"versionType": "git"
},
{
"lessThan": "8faf862d81ab197757761e87d0a99fbb96ab2cf0",
"status": "affected",
"version": "f9eec4947add999e1251bf14365a48a655b786a4",
"versionType": "git"
},
{
"lessThan": "a1548363582a8066edd4986f839d785f13dda3aa",
"status": "affected",
"version": "f9eec4947add999e1251bf14365a48a655b786a4",
"versionType": "git"
},
{
"lessThan": "5a78ac33e3cb8822da64dd1af196e83664b332b0",
"status": "affected",
"version": "f9eec4947add999e1251bf14365a48a655b786a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/ahb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix deinitialization of firmware resources\n\nCurrently, in ath11k_ahb_fw_resources_init(), iommu domain\nmapping is done only for the chipsets having fixed firmware\nmemory. Also, for such chipsets, mapping is done only if it\ndoes not have TrustZone support.\n\nDuring deinitialization, only if TrustZone support is not there,\niommu is unmapped back. However, for non fixed firmware memory\nchipsets, TrustZone support is not there and this makes the\ncondition check to true and it tries to unmap the memory which\nwas not mapped during initialization.\n\nThis leads to the following trace -\n\n[ 83.198790] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n[ 83.259537] Modules linked in: ath11k_ahb ath11k qmi_helpers\n.. snip ..\n[ 83.280286] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 83.287228] pc : __iommu_unmap+0x30/0x140\n[ 83.293907] lr : iommu_unmap+0x5c/0xa4\n[ 83.298072] sp : ffff80000b3abad0\n.. snip ..\n[ 83.369175] Call trace:\n[ 83.376282] __iommu_unmap+0x30/0x140\n[ 83.378541] iommu_unmap+0x5c/0xa4\n[ 83.382360] ath11k_ahb_fw_resource_deinit.part.12+0x2c/0xac [ath11k_ahb]\n[ 83.385666] ath11k_ahb_free_resources+0x140/0x17c [ath11k_ahb]\n[ 83.392521] ath11k_ahb_shutdown+0x34/0x40 [ath11k_ahb]\n[ 83.398248] platform_shutdown+0x20/0x2c\n[ 83.403455] device_shutdown+0x16c/0x1c4\n[ 83.407621] kernel_restart_prepare+0x34/0x3c\n[ 83.411529] kernel_restart+0x14/0x74\n[ 83.415781] __do_sys_reboot+0x1c4/0x22c\n[ 83.419427] __arm64_sys_reboot+0x1c/0x24\n[ 83.423420] invoke_syscall+0x44/0xfc\n[ 83.427326] el0_svc_common.constprop.3+0xac/0xe8\n[ 83.430974] do_el0_svc+0xa0/0xa8\n[ 83.435659] el0_svc+0x1c/0x44\n[ 83.438957] el0t_64_sync_handler+0x60/0x144\n[ 83.441910] el0t_64_sync+0x15c/0x160\n[ 83.446343] Code: aa0103f4 f9400001 f90027a1 d2800001 (f94006a0)\n[ 83.449903] ---[ end trace 0000000000000000 ]---\n\nThis can be reproduced by probing an AHB chipset which is not\nhaving a fixed memory region. During reboot (or rmmod) trace\ncan be seen.\n\nFix this issue by adding a condition check on firmware fixed memory\nhw_param as done in the counter initialization function.\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:16.713Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0324300dce3412d4737b4ec5898d0188495a7caa"
},
{
"url": "https://git.kernel.org/stable/c/8faf862d81ab197757761e87d0a99fbb96ab2cf0"
},
{
"url": "https://git.kernel.org/stable/c/a1548363582a8066edd4986f839d785f13dda3aa"
},
{
"url": "https://git.kernel.org/stable/c/5a78ac33e3cb8822da64dd1af196e83664b332b0"
}
],
"title": "wifi: ath11k: fix deinitialization of firmware resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53532",
"datePublished": "2025-10-01T11:46:16.713Z",
"dateReserved": "2025-10-01T11:39:39.409Z",
"dateUpdated": "2025-10-01T11:46:16.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50433 (GCVE-0-2022-50433)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: ssdt: Don't free memory if ACPI table was loaded successfully
Amadeusz reports KASAN use-after-free errors introduced by commit
3881ee0b1edc ("efi: avoid efivars layer when loading SSDTs from
variables"). The problem appears to be that the memory that holds the
new ACPI table is now freed unconditionally, instead of only when the
ACPI core reported a failure to load the table.
So let's fix this, by omitting the kfree() on success.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11497fd69cd2282538ec6eb4cda1d16fc061233d",
"status": "affected",
"version": "3881ee0b1edce0ece72d24b7c74f46b73bd6dcba",
"versionType": "git"
},
{
"lessThan": "4b017e59f01097f19b938f6dc4dc2c4720701610",
"status": "affected",
"version": "3881ee0b1edce0ece72d24b7c74f46b73bd6dcba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: ssdt: Don\u0027t free memory if ACPI table was loaded successfully\n\nAmadeusz reports KASAN use-after-free errors introduced by commit\n3881ee0b1edc (\"efi: avoid efivars layer when loading SSDTs from\nvariables\"). The problem appears to be that the memory that holds the\nnew ACPI table is now freed unconditionally, instead of only when the\nACPI core reported a failure to load the table.\n\nSo let\u0027s fix this, by omitting the kfree() on success."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:11.444Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11497fd69cd2282538ec6eb4cda1d16fc061233d"
},
{
"url": "https://git.kernel.org/stable/c/4b017e59f01097f19b938f6dc4dc2c4720701610"
}
],
"title": "efi: ssdt: Don\u0027t free memory if ACPI table was loaded successfully",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50433",
"datePublished": "2025-10-01T11:42:11.444Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:11.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53480 (GCVE-0-2023-53480)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kobject: Add sanity check for kset->kobj.ktype in kset_register()
When I register a kset in the following way:
static struct kset my_kset;
kobject_set_name(&my_kset.kobj, "my_kset");
ret = kset_register(&my_kset);
A null pointer dereference exception is occurred:
[ 4453.568337] Unable to handle kernel NULL pointer dereference at \
virtual address 0000000000000028
... ...
[ 4453.810361] Call trace:
[ 4453.813062] kobject_get_ownership+0xc/0x34
[ 4453.817493] kobject_add_internal+0x98/0x274
[ 4453.822005] kset_register+0x5c/0xb4
[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]
... ...
Because I didn't initialize my_kset.kobj.ktype.
According to the description in Documentation/core-api/kobject.rst:
- A ktype is the type of object that embeds a kobject. Every structure
that embeds a kobject needs a corresponding ktype.
So add sanity check to make sure kset->kobj.ktype is not NULL.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/kobject.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1792eac72e27f676bf9ebde28a5afea627fb85f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "039ec9db2d30032eafa365f5f89b30eca5322b05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "964e025ceefdf75da46b0133d0c2790de451aeec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5df5829158513134ddcaf2184d9286eda7b0bb18",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3f6bf22a4f5ba649cf26ae4670de5c7f861bdef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48aebbe801e78a8932404c122ed0e880ccedc220",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a772881bc059c596d8ca587cbd2a233edce3d3b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4d0fe8c52bb3029d83e323c961221156ab98680b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/kobject.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject: Add sanity check for kset-\u003ekobj.ktype in kset_register()\n\nWhen I register a kset in the following way:\n\tstatic struct kset my_kset;\n\tkobject_set_name(\u0026my_kset.kobj, \"my_kset\");\n ret = kset_register(\u0026my_kset);\n\nA null pointer dereference exception is occurred:\n[ 4453.568337] Unable to handle kernel NULL pointer dereference at \\\nvirtual address 0000000000000028\n... ...\n[ 4453.810361] Call trace:\n[ 4453.813062] kobject_get_ownership+0xc/0x34\n[ 4453.817493] kobject_add_internal+0x98/0x274\n[ 4453.822005] kset_register+0x5c/0xb4\n[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]\n... ...\n\nBecause I didn\u0027t initialize my_kset.kobj.ktype.\n\nAccording to the description in Documentation/core-api/kobject.rst:\n - A ktype is the type of object that embeds a kobject. Every structure\n that embeds a kobject needs a corresponding ktype.\n\nSo add sanity check to make sure kset-\u003ekobj.ktype is not NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:48.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1792eac72e27f676bf9ebde28a5afea627fb85f0"
},
{
"url": "https://git.kernel.org/stable/c/039ec9db2d30032eafa365f5f89b30eca5322b05"
},
{
"url": "https://git.kernel.org/stable/c/964e025ceefdf75da46b0133d0c2790de451aeec"
},
{
"url": "https://git.kernel.org/stable/c/5df5829158513134ddcaf2184d9286eda7b0bb18"
},
{
"url": "https://git.kernel.org/stable/c/f3f6bf22a4f5ba649cf26ae4670de5c7f861bdef"
},
{
"url": "https://git.kernel.org/stable/c/48aebbe801e78a8932404c122ed0e880ccedc220"
},
{
"url": "https://git.kernel.org/stable/c/1a772881bc059c596d8ca587cbd2a233edce3d3b"
},
{
"url": "https://git.kernel.org/stable/c/4d0fe8c52bb3029d83e323c961221156ab98680b"
}
],
"title": "kobject: Add sanity check for kset-\u003ekobj.ktype in kset_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53480",
"datePublished": "2025-10-01T11:42:48.919Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:48.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53501 (GCVE-0-2023-53501)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind
When unbinding pasid - a race condition exists vs outstanding page faults.
To prevent this, the pasid_state object contains a refcount.
* set to 1 on pasid bind
* incremented on each ppr notification start
* decremented on each ppr notification done
* decremented on pasid unbind
Since refcount_dec assumes that refcount will never reach 0:
the current implementation causes the following to be invoked on
pasid unbind:
REFCOUNT_WARN("decrement hit 0; leaking memory")
Fix this issue by changing refcount_dec to refcount_dec_and_test
to explicitly handle refcount=1.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 8bc54824da4e8fcf0ed679cf09ac32f23d83254a Version: 8bc54824da4e8fcf0ed679cf09ac32f23d83254a Version: 8bc54824da4e8fcf0ed679cf09ac32f23d83254a Version: 8bc54824da4e8fcf0ed679cf09ac32f23d83254a Version: 8bc54824da4e8fcf0ed679cf09ac32f23d83254a |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/iommu_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a50d60b8f2aff46dd7c7edb4a5835cdc4d432c22",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
},
{
"lessThan": "13ed255248dfbbb7f23f9170c7a537fb9ca22c73",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
},
{
"lessThan": "9ccc51be3126b25cfe9351dbffde946c925cc28a",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
},
{
"lessThan": "98d86bf32187db27946ca817c2467a5f2f7aa02f",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
},
{
"lessThan": "534103bcd52ca9c1fecbc70e717b4a538dc4ded8",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/iommu_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind\n\nWhen unbinding pasid - a race condition exists vs outstanding page faults.\n\nTo prevent this, the pasid_state object contains a refcount.\n * set to 1 on pasid bind\n * incremented on each ppr notification start\n * decremented on each ppr notification done\n * decremented on pasid unbind\n\nSince refcount_dec assumes that refcount will never reach 0:\n the current implementation causes the following to be invoked on\n pasid unbind:\n REFCOUNT_WARN(\"decrement hit 0; leaking memory\")\n\nFix this issue by changing refcount_dec to refcount_dec_and_test\nto explicitly handle refcount=1."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:52.204Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a50d60b8f2aff46dd7c7edb4a5835cdc4d432c22"
},
{
"url": "https://git.kernel.org/stable/c/13ed255248dfbbb7f23f9170c7a537fb9ca22c73"
},
{
"url": "https://git.kernel.org/stable/c/9ccc51be3126b25cfe9351dbffde946c925cc28a"
},
{
"url": "https://git.kernel.org/stable/c/98d86bf32187db27946ca817c2467a5f2f7aa02f"
},
{
"url": "https://git.kernel.org/stable/c/534103bcd52ca9c1fecbc70e717b4a538dc4ded8"
}
],
"title": "iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53501",
"datePublished": "2025-10-01T11:45:52.204Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:52.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53470 (GCVE-0-2023-53470)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ionic: catch failure from devlink_alloc
Add a check for NULL on the alloc return. If devlink_alloc() fails and
we try to use devlink_priv() on the NULL return, the kernel gets very
unhappy and panics. With this fix, the driver load will still fail,
but at least it won't panic the kernel.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: df69ba43217d3cf4215c83c0627ce98a26e56e7c Version: df69ba43217d3cf4215c83c0627ce98a26e56e7c Version: df69ba43217d3cf4215c83c0627ce98a26e56e7c Version: df69ba43217d3cf4215c83c0627ce98a26e56e7c Version: df69ba43217d3cf4215c83c0627ce98a26e56e7c |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/pensando/ionic/ionic_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c177dd465f5c1e5f242cdb9258826c591c257e9a",
"status": "affected",
"version": "df69ba43217d3cf4215c83c0627ce98a26e56e7c",
"versionType": "git"
},
{
"lessThan": "0d02efe7f25158c93146e3bb827bc7bb3cd5e71a",
"status": "affected",
"version": "df69ba43217d3cf4215c83c0627ce98a26e56e7c",
"versionType": "git"
},
{
"lessThan": "5325f50de5b1433b27dda7ccff5cb7283722a3f1",
"status": "affected",
"version": "df69ba43217d3cf4215c83c0627ce98a26e56e7c",
"versionType": "git"
},
{
"lessThan": "0020c16c8af7f4bc9503a2088fb30793b6771fac",
"status": "affected",
"version": "df69ba43217d3cf4215c83c0627ce98a26e56e7c",
"versionType": "git"
},
{
"lessThan": "4a54903ff68ddb33b6463c94b4eb37fc584ef760",
"status": "affected",
"version": "df69ba43217d3cf4215c83c0627ce98a26e56e7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/pensando/ionic/ionic_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: catch failure from devlink_alloc\n\nAdd a check for NULL on the alloc return. If devlink_alloc() fails and\nwe try to use devlink_priv() on the NULL return, the kernel gets very\nunhappy and panics. With this fix, the driver load will still fail,\nbut at least it won\u0027t panic the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:40.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c177dd465f5c1e5f242cdb9258826c591c257e9a"
},
{
"url": "https://git.kernel.org/stable/c/0d02efe7f25158c93146e3bb827bc7bb3cd5e71a"
},
{
"url": "https://git.kernel.org/stable/c/5325f50de5b1433b27dda7ccff5cb7283722a3f1"
},
{
"url": "https://git.kernel.org/stable/c/0020c16c8af7f4bc9503a2088fb30793b6771fac"
},
{
"url": "https://git.kernel.org/stable/c/4a54903ff68ddb33b6463c94b4eb37fc584ef760"
}
],
"title": "ionic: catch failure from devlink_alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53470",
"datePublished": "2025-10-01T11:42:40.221Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:40.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53496 (GCVE-0-2023-53496)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/platform/uv: Use alternate source for socket to node data
The UV code attempts to build a set of tables to allow it to do
bidirectional socket<=>node lookups.
But when nr_cpus is set to a smaller number than actually present, the
cpu_to_node() mapping information for unused CPUs is not available to
build_socket_tables(). This results in skipping some nodes or sockets
when creating the tables and leaving some -1's for later code to trip.
over, causing oopses.
The problem is that the socket<=>node lookups are created by doing a
loop over all CPUs, then looking up the CPU's APICID and socket. But
if a CPU is not present, there is no way to start this lookup.
Instead of looping over all CPUs, take CPUs out of the equation
entirely. Loop over all APICIDs which are mapped to a valid NUMA node.
Then just extract the socket-id from the APICID.
This avoid tripping over disabled CPUs.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/x2apic_uv_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d01a0c3046d1545391ef7bb1f114743d00e3793",
"status": "affected",
"version": "8a50c58519271dd24ba760bb282875f6ad66ee71",
"versionType": "git"
},
{
"lessThan": "5290e88ba2c742ca77c5f5b690e5af549cfd8591",
"status": "affected",
"version": "8a50c58519271dd24ba760bb282875f6ad66ee71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/x2apic_uv_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/platform/uv: Use alternate source for socket to node data\n\nThe UV code attempts to build a set of tables to allow it to do\nbidirectional socket\u003c=\u003enode lookups.\n\nBut when nr_cpus is set to a smaller number than actually present, the\ncpu_to_node() mapping information for unused CPUs is not available to\nbuild_socket_tables(). This results in skipping some nodes or sockets\nwhen creating the tables and leaving some -1\u0027s for later code to trip.\nover, causing oopses.\n\nThe problem is that the socket\u003c=\u003enode lookups are created by doing a\nloop over all CPUs, then looking up the CPU\u0027s APICID and socket. But\nif a CPU is not present, there is no way to start this lookup.\n\nInstead of looping over all CPUs, take CPUs out of the equation\nentirely. Loop over all APICIDs which are mapped to a valid NUMA node.\nThen just extract the socket-id from the APICID.\n\nThis avoid tripping over disabled CPUs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:47.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d01a0c3046d1545391ef7bb1f114743d00e3793"
},
{
"url": "https://git.kernel.org/stable/c/5290e88ba2c742ca77c5f5b690e5af549cfd8591"
}
],
"title": "x86/platform/uv: Use alternate source for socket to node data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53496",
"datePublished": "2025-10-01T11:45:47.807Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:47.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53511 (GCVE-0-2023-53511)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix fget leak when fs don't support nowait buffered read
Heming reported a BUG when using io_uring doing link-cp on ocfs2. [1]
Do the following steps can reproduce this BUG:
mount -t ocfs2 /dev/vdc /mnt/ocfs2
cp testfile /mnt/ocfs2/
./link-cp /mnt/ocfs2/testfile /mnt/ocfs2/testfile.1
umount /mnt/ocfs2
Then umount will fail, and it outputs:
umount: /mnt/ocfs2: target is busy.
While tracing umount, it blames mnt_get_count() not return as expected.
Do a deep investigation for fget()/fput() on related code flow, I've
finally found that fget() leaks since ocfs2 doesn't support nowait
buffered read.
io_issue_sqe
|-io_assign_file // do fget() first
|-io_read
|-io_iter_do_read
|-ocfs2_file_read_iter // return -EOPNOTSUPP
|-kiocb_done
|-io_rw_done
|-__io_complete_rw_common // set REQ_F_REISSUE
|-io_resubmit_prep
|-io_req_prep_async // override req->file, leak happens
This was introduced by commit a196c78b5443 in v5.18. Fix it by don't
re-assign req->file if it has already been assigned.
[1] https://lore.kernel.org/ocfs2-devel/ab580a75-91c8-d68a-3455-40361be1bfa8@linux.alibaba.com/T/#t
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75a499fc9d66a32271e2b3e4ca71156e8ad3b484",
"status": "affected",
"version": "a196c78b5443fc61af2c0490213b9d125482cbd1",
"versionType": "git"
},
{
"lessThan": "10fb2e16ee6ffaf1716b9e90d007e6b300bfa457",
"status": "affected",
"version": "a196c78b5443fc61af2c0490213b9d125482cbd1",
"versionType": "git"
},
{
"lessThan": "54aa7f2330b82884f4a1afce0220add6e8312f8b",
"status": "affected",
"version": "a196c78b5443fc61af2c0490213b9d125482cbd1",
"versionType": "git"
},
{
"status": "affected",
"version": "cef27a7d36026bd3c86f4fdfb4611ebbe2814af4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix fget leak when fs don\u0027t support nowait buffered read\n\nHeming reported a BUG when using io_uring doing link-cp on ocfs2. [1]\n\nDo the following steps can reproduce this BUG:\nmount -t ocfs2 /dev/vdc /mnt/ocfs2\ncp testfile /mnt/ocfs2/\n./link-cp /mnt/ocfs2/testfile /mnt/ocfs2/testfile.1\numount /mnt/ocfs2\n\nThen umount will fail, and it outputs:\numount: /mnt/ocfs2: target is busy.\n\nWhile tracing umount, it blames mnt_get_count() not return as expected.\nDo a deep investigation for fget()/fput() on related code flow, I\u0027ve\nfinally found that fget() leaks since ocfs2 doesn\u0027t support nowait\nbuffered read.\n\nio_issue_sqe\n|-io_assign_file // do fget() first\n |-io_read\n |-io_iter_do_read\n |-ocfs2_file_read_iter // return -EOPNOTSUPP\n |-kiocb_done\n |-io_rw_done\n |-__io_complete_rw_common // set REQ_F_REISSUE\n |-io_resubmit_prep\n |-io_req_prep_async // override req-\u003efile, leak happens\n\nThis was introduced by commit a196c78b5443 in v5.18. Fix it by don\u0027t\nre-assign req-\u003efile if it has already been assigned.\n\n[1] https://lore.kernel.org/ocfs2-devel/ab580a75-91c8-d68a-3455-40361be1bfa8@linux.alibaba.com/T/#t"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:00.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75a499fc9d66a32271e2b3e4ca71156e8ad3b484"
},
{
"url": "https://git.kernel.org/stable/c/10fb2e16ee6ffaf1716b9e90d007e6b300bfa457"
},
{
"url": "https://git.kernel.org/stable/c/54aa7f2330b82884f4a1afce0220add6e8312f8b"
}
],
"title": "io_uring: fix fget leak when fs don\u0027t support nowait buffered read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53511",
"datePublished": "2025-10-01T11:46:00.185Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:00.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53530 (GCVE-0-2023-53530)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()
The following call trace was observed:
localhost kernel: nvme nvme0: NVME-FC{0}: controller connect complete
localhost kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u129:4/75092
localhost kernel: nvme nvme0: NVME-FC{0}: new ctrl: NQN "nqn.1992-08.com.netapp:sn.b42d198afb4d11ecad6d00a098d6abfa:subsystem.PR_Channel2022_RH84_subsystem_291"
localhost kernel: caller is qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]
localhost kernel: CPU: 6 PID: 75092 Comm: kworker/u129:4 Kdump: loaded Tainted: G B W OE --------- --- 5.14.0-70.22.1.el9_0.x86_64+debug #1
localhost kernel: Hardware name: HPE ProLiant XL420 Gen10/ProLiant XL420 Gen10, BIOS U39 01/13/2022
localhost kernel: Workqueue: nvme-wq nvme_async_event_work [nvme_core]
localhost kernel: Call Trace:
localhost kernel: dump_stack_lvl+0x57/0x7d
localhost kernel: check_preemption_disabled+0xc8/0xd0
localhost kernel: qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]
Use raw_smp_processor_id() instead of smp_processor_id().
Also use queue_work() across the driver instead of queue_work_on() thus
avoiding usage of smp_processor_id() when CONFIG_DEBUG_PREEMPT is enabled.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_inline.h",
"drivers/scsi/qla2xxx/qla_isr.c",
"drivers/scsi/qla2xxx/qla_target.c",
"drivers/scsi/qla2xxx/tcm_qla2xxx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a541999f31fcb10ea50eba2a563e6c451fd5c7d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "52c7b41ad6ee53222f4ee2f0c099a6ed8291a168",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25bd0c7def04a272f8e89b36971712fe29c6e438",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59f10a05b5c7b675256a66e3161741239889ff80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_inline.h",
"drivers/scsi/qla2xxx/qla_isr.c",
"drivers/scsi/qla2xxx/qla_target.c",
"drivers/scsi/qla2xxx/tcm_qla2xxx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()\n\nThe following call trace was observed:\n\nlocalhost kernel: nvme nvme0: NVME-FC{0}: controller connect complete\nlocalhost kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u129:4/75092\nlocalhost kernel: nvme nvme0: NVME-FC{0}: new ctrl: NQN \"nqn.1992-08.com.netapp:sn.b42d198afb4d11ecad6d00a098d6abfa:subsystem.PR_Channel2022_RH84_subsystem_291\"\nlocalhost kernel: caller is qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]\nlocalhost kernel: CPU: 6 PID: 75092 Comm: kworker/u129:4 Kdump: loaded Tainted: G B W OE --------- --- 5.14.0-70.22.1.el9_0.x86_64+debug #1\nlocalhost kernel: Hardware name: HPE ProLiant XL420 Gen10/ProLiant XL420 Gen10, BIOS U39 01/13/2022\nlocalhost kernel: Workqueue: nvme-wq nvme_async_event_work [nvme_core]\nlocalhost kernel: Call Trace:\nlocalhost kernel: dump_stack_lvl+0x57/0x7d\nlocalhost kernel: check_preemption_disabled+0xc8/0xd0\nlocalhost kernel: qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]\n\nUse raw_smp_processor_id() instead of smp_processor_id().\n\nAlso use queue_work() across the driver instead of queue_work_on() thus\navoiding usage of smp_processor_id() when CONFIG_DEBUG_PREEMPT is enabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:15.075Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a541999f31fcb10ea50eba2a563e6c451fd5c7d"
},
{
"url": "https://git.kernel.org/stable/c/52c7b41ad6ee53222f4ee2f0c099a6ed8291a168"
},
{
"url": "https://git.kernel.org/stable/c/25bd0c7def04a272f8e89b36971712fe29c6e438"
},
{
"url": "https://git.kernel.org/stable/c/59f10a05b5c7b675256a66e3161741239889ff80"
}
],
"title": "scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53530",
"datePublished": "2025-10-01T11:46:15.075Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-01T11:46:15.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50436 (GCVE-0-2022-50436)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: don't set up encryption key during jbd2 transaction
Commit a80f7fcf1867 ("ext4: fixup ext4_fc_track_* functions' signature")
extended the scope of the transaction in ext4_unlink() too far, making
it include the call to ext4_find_entry(). However, ext4_find_entry()
can deadlock when called from within a transaction because it may need
to set up the directory's encryption key.
Fix this by restoring the transaction to its original scope.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: a80f7fcf18672ae4971a6b713b58c0d389aa99fe Version: a80f7fcf18672ae4971a6b713b58c0d389aa99fe Version: a80f7fcf18672ae4971a6b713b58c0d389aa99fe Version: a80f7fcf18672ae4971a6b713b58c0d389aa99fe Version: a80f7fcf18672ae4971a6b713b58c0d389aa99fe |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/fast_commit.c",
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23ad034760dd38e12b0e0e1b28b9629f330810a1",
"status": "affected",
"version": "a80f7fcf18672ae4971a6b713b58c0d389aa99fe",
"versionType": "git"
},
{
"lessThan": "6220ec405571ded17efedc56587190b542adf246",
"status": "affected",
"version": "a80f7fcf18672ae4971a6b713b58c0d389aa99fe",
"versionType": "git"
},
{
"lessThan": "206dd3acfb9bca54a25b228c7c7c2257eedde09b",
"status": "affected",
"version": "a80f7fcf18672ae4971a6b713b58c0d389aa99fe",
"versionType": "git"
},
{
"lessThan": "1ba993208bcfd691e241483420a2a761d3f15750",
"status": "affected",
"version": "a80f7fcf18672ae4971a6b713b58c0d389aa99fe",
"versionType": "git"
},
{
"lessThan": "4c0d5778385cb3618ff26a561ce41de2b7d9de70",
"status": "affected",
"version": "a80f7fcf18672ae4971a6b713b58c0d389aa99fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/fast_commit.c",
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: don\u0027t set up encryption key during jbd2 transaction\n\nCommit a80f7fcf1867 (\"ext4: fixup ext4_fc_track_* functions\u0027 signature\")\nextended the scope of the transaction in ext4_unlink() too far, making\nit include the call to ext4_find_entry(). However, ext4_find_entry()\ncan deadlock when called from within a transaction because it may need\nto set up the directory\u0027s encryption key.\n\nFix this by restoring the transaction to its original scope."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:13.538Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23ad034760dd38e12b0e0e1b28b9629f330810a1"
},
{
"url": "https://git.kernel.org/stable/c/6220ec405571ded17efedc56587190b542adf246"
},
{
"url": "https://git.kernel.org/stable/c/206dd3acfb9bca54a25b228c7c7c2257eedde09b"
},
{
"url": "https://git.kernel.org/stable/c/1ba993208bcfd691e241483420a2a761d3f15750"
},
{
"url": "https://git.kernel.org/stable/c/4c0d5778385cb3618ff26a561ce41de2b7d9de70"
}
],
"title": "ext4: don\u0027t set up encryption key during jbd2 transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50436",
"datePublished": "2025-10-01T11:42:13.538Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:13.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53478 (GCVE-0-2023-53478)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/synthetic: Fix races on freeing last_cmd
Currently, the "last_cmd" variable can be accessed by multiple processes
asynchronously when multiple users manipulate synthetic_events node
at the same time, it could lead to use-after-free or double-free.
This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed
asynchronously.
================================================================
It's easy to reproduce in the KASAN environment by running the two
scripts below in different shells.
script 1:
while :
do
echo -n -e '\x88' > /sys/kernel/tracing/synthetic_events
done
script 2:
while :
do
echo -n -e '\xb0' > /sys/kernel/tracing/synthetic_events
done
================================================================
double-free scenario:
process A process B
------------------- ---------------
1.kstrdup last_cmd
2.free last_cmd
3.free last_cmd(double-free)
================================================================
use-after-free scenario:
process A process B
------------------- ---------------
1.kstrdup last_cmd
2.free last_cmd
3.tracing_log_err(use-after-free)
================================================================
Appendix 1. KASAN report double-free:
BUG: KASAN: double-free in kfree+0xdc/0x1d4
Free of addr ***** by task sh/4879
Call trace:
...
kfree+0xdc/0x1d4
create_or_delete_synth_event+0x60/0x1e8
trace_parse_run_command+0x2bc/0x4b8
synth_events_write+0x20/0x30
vfs_write+0x200/0x830
...
Allocated by task 4879:
...
kstrdup+0x5c/0x98
create_or_delete_synth_event+0x6c/0x1e8
trace_parse_run_command+0x2bc/0x4b8
synth_events_write+0x20/0x30
vfs_write+0x200/0x830
...
Freed by task 5464:
...
kfree+0xdc/0x1d4
create_or_delete_synth_event+0x60/0x1e8
trace_parse_run_command+0x2bc/0x4b8
synth_events_write+0x20/0x30
vfs_write+0x200/0x830
...
================================================================
Appendix 2. KASAN report use-after-free:
BUG: KASAN: use-after-free in strlen+0x5c/0x7c
Read of size 1 at addr ***** by task sh/5483
sh: CPU: 7 PID: 5483 Comm: sh
...
__asan_report_load1_noabort+0x34/0x44
strlen+0x5c/0x7c
tracing_log_err+0x60/0x444
create_or_delete_synth_event+0xc4/0x204
trace_parse_run_command+0x2bc/0x4b8
synth_events_write+0x20/0x30
vfs_write+0x200/0x830
...
Allocated by task 5483:
...
kstrdup+0x5c/0x98
create_or_delete_synth_event+0x80/0x204
trace_parse_run_command+0x2bc/0x4b8
synth_events_write+0x20/0x30
vfs_write+0x200/0x830
...
Freed by task 5480:
...
kfree+0xdc/0x1d4
create_or_delete_synth_event+0x74/0x204
trace_parse_run_command+0x2bc/0x4b8
synth_events_write+0x20/0x30
vfs_write+0x200/0x830
...
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fe183f659a2704255e5d84f6ae308c234a113ec",
"status": "affected",
"version": "27c888da9867725784bad3d6455d6e53b425fa2b",
"versionType": "git"
},
{
"lessThan": "8826d9e7bd51e7656f78baa4472e8e2f5e7069f0",
"status": "affected",
"version": "27c888da9867725784bad3d6455d6e53b425fa2b",
"versionType": "git"
},
{
"lessThan": "4ccf11c4e8a8e051499d53a12f502196c97a758e",
"status": "affected",
"version": "27c888da9867725784bad3d6455d6e53b425fa2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/synthetic: Fix races on freeing last_cmd\n\nCurrently, the \"last_cmd\" variable can be accessed by multiple processes\nasynchronously when multiple users manipulate synthetic_events node\nat the same time, it could lead to use-after-free or double-free.\n\nThis patch add \"lastcmd_mutex\" to prevent \"last_cmd\" from being accessed\nasynchronously.\n\n================================================================\n\nIt\u0027s easy to reproduce in the KASAN environment by running the two\nscripts below in different shells.\n\nscript 1:\n while :\n do\n echo -n -e \u0027\\x88\u0027 \u003e /sys/kernel/tracing/synthetic_events\n done\n\nscript 2:\n while :\n do\n echo -n -e \u0027\\xb0\u0027 \u003e /sys/kernel/tracing/synthetic_events\n done\n\n================================================================\ndouble-free scenario:\n\n process A process B\n------------------- ---------------\n1.kstrdup last_cmd\n 2.free last_cmd\n3.free last_cmd(double-free)\n\n================================================================\nuse-after-free scenario:\n\n process A process B\n------------------- ---------------\n1.kstrdup last_cmd\n 2.free last_cmd\n3.tracing_log_err(use-after-free)\n\n================================================================\n\nAppendix 1. KASAN report double-free:\n\nBUG: KASAN: double-free in kfree+0xdc/0x1d4\nFree of addr ***** by task sh/4879\nCall trace:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x60/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nAllocated by task 4879:\n ...\n kstrdup+0x5c/0x98\n create_or_delete_synth_event+0x6c/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nFreed by task 5464:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x60/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\n================================================================\nAppendix 2. KASAN report use-after-free:\n\nBUG: KASAN: use-after-free in strlen+0x5c/0x7c\nRead of size 1 at addr ***** by task sh/5483\nsh: CPU: 7 PID: 5483 Comm: sh\n ...\n __asan_report_load1_noabort+0x34/0x44\n strlen+0x5c/0x7c\n tracing_log_err+0x60/0x444\n create_or_delete_synth_event+0xc4/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nAllocated by task 5483:\n ...\n kstrdup+0x5c/0x98\n create_or_delete_synth_event+0x80/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nFreed by task 5480:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x74/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ..."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:47.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fe183f659a2704255e5d84f6ae308c234a113ec"
},
{
"url": "https://git.kernel.org/stable/c/8826d9e7bd51e7656f78baa4472e8e2f5e7069f0"
},
{
"url": "https://git.kernel.org/stable/c/4ccf11c4e8a8e051499d53a12f502196c97a758e"
}
],
"title": "tracing/synthetic: Fix races on freeing last_cmd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53478",
"datePublished": "2025-10-01T11:42:47.185Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:47.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50428 (GCVE-0-2022-50428)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix off-by-one errors in fast-commit block filling
Due to several different off-by-one errors, or perhaps due to a late
change in design that wasn't fully reflected in the code that was
actually merged, there are several very strange constraints on how
fast-commit blocks are filled with tlv entries:
- tlvs must start at least 10 bytes before the end of the block, even
though the minimum tlv length is 8. Otherwise, the replay code will
ignore them. (BUG: ext4_fc_reserve_space() could violate this
requirement if called with a len of blocksize - 9 or blocksize - 8.
Fortunately, this doesn't seem to happen currently.)
- tlvs must end at least 1 byte before the end of the block. Otherwise
the replay code will consider them to be invalid. This quirk
contributed to a bug (fixed by an earlier commit) where uninitialized
memory was being leaked to disk in the last byte of blocks.
Also, strangely these constraints don't apply to the replay code in
e2fsprogs, which will accept any tlvs in the blocks (with no bounds
checks at all, but that is a separate issue...).
Given that this all seems to be a bug, let's fix it by just filling
blocks with tlv entries in the natural way.
Note that old kernels will be unable to replay fast-commit journals
created by kernels that have this commit.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18f28f13301d1afb8cea9c4ddcecdbff14488ec6",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "5ca65dffdead16572ca046c43fb576b227f7f635",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "5439ad45c0d0c8db41eb6f4dce6f778f15a5ee16",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "48a6a66db82b8043d298a630f22c62d43550cae5",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one errors in fast-commit block filling\n\nDue to several different off-by-one errors, or perhaps due to a late\nchange in design that wasn\u0027t fully reflected in the code that was\nactually merged, there are several very strange constraints on how\nfast-commit blocks are filled with tlv entries:\n\n- tlvs must start at least 10 bytes before the end of the block, even\n though the minimum tlv length is 8. Otherwise, the replay code will\n ignore them. (BUG: ext4_fc_reserve_space() could violate this\n requirement if called with a len of blocksize - 9 or blocksize - 8.\n Fortunately, this doesn\u0027t seem to happen currently.)\n\n- tlvs must end at least 1 byte before the end of the block. Otherwise\n the replay code will consider them to be invalid. This quirk\n contributed to a bug (fixed by an earlier commit) where uninitialized\n memory was being leaked to disk in the last byte of blocks.\n\nAlso, strangely these constraints don\u0027t apply to the replay code in\ne2fsprogs, which will accept any tlvs in the blocks (with no bounds\nchecks at all, but that is a separate issue...).\n\nGiven that this all seems to be a bug, let\u0027s fix it by just filling\nblocks with tlv entries in the natural way.\n\nNote that old kernels will be unable to replay fast-commit journals\ncreated by kernels that have this commit."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:07.245Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18f28f13301d1afb8cea9c4ddcecdbff14488ec6"
},
{
"url": "https://git.kernel.org/stable/c/5ca65dffdead16572ca046c43fb576b227f7f635"
},
{
"url": "https://git.kernel.org/stable/c/5439ad45c0d0c8db41eb6f4dce6f778f15a5ee16"
},
{
"url": "https://git.kernel.org/stable/c/48a6a66db82b8043d298a630f22c62d43550cae5"
}
],
"title": "ext4: fix off-by-one errors in fast-commit block filling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50428",
"datePublished": "2025-10-01T11:42:07.245Z",
"dateReserved": "2025-09-17T14:53:07.008Z",
"dateUpdated": "2025-10-01T11:42:07.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53451 (GCVE-0-2023-53451)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix potential NULL pointer dereference
Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate
pointer before dereferencing the pointer.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_iocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02405f4023866ae91a611b5b85cb2e074ec2de5a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee4c9a93238b9ce3703942500cb1aeacf77090d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f90a8b0481615622bd0558aa8cf361bea872045",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2bea9c1c983152c5411f5a2f1113cb790ce1389d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5a52a2e14fe866541bbc0033058e44bf0bf0c580",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce2cdbe530b0066bae1f98dbab590a232d507eaa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af7affc0f6b82a5bde430fc4f0dcf70963442fbc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "464ea494a40c6e3e0e8f91dd325408aaf21515ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_iocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix potential NULL pointer dereference\n\nKlocwork tool reported \u0027cur_dsd\u0027 may be dereferenced. Add fix to validate\npointer before dereferencing the pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:22.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02405f4023866ae91a611b5b85cb2e074ec2de5a"
},
{
"url": "https://git.kernel.org/stable/c/ee4c9a93238b9ce3703942500cb1aeacf77090d2"
},
{
"url": "https://git.kernel.org/stable/c/4f90a8b0481615622bd0558aa8cf361bea872045"
},
{
"url": "https://git.kernel.org/stable/c/2bea9c1c983152c5411f5a2f1113cb790ce1389d"
},
{
"url": "https://git.kernel.org/stable/c/5a52a2e14fe866541bbc0033058e44bf0bf0c580"
},
{
"url": "https://git.kernel.org/stable/c/ce2cdbe530b0066bae1f98dbab590a232d507eaa"
},
{
"url": "https://git.kernel.org/stable/c/af7affc0f6b82a5bde430fc4f0dcf70963442fbc"
},
{
"url": "https://git.kernel.org/stable/c/464ea494a40c6e3e0e8f91dd325408aaf21515ba"
}
],
"title": "scsi: qla2xxx: Fix potential NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53451",
"datePublished": "2025-10-01T11:42:22.857Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:22.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53522 (GCVE-0-2023-53522)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex
syzbot is reporting circular locking dependency between cpu_hotplug_lock
and freezer_mutex, for commit f5d39b020809 ("freezer,sched: Rewrite core
freezer logic") replaced atomic_inc() in freezer_apply_state() with
static_branch_inc() which holds cpu_hotplug_lock.
cpu_hotplug_lock => cgroup_threadgroup_rwsem => freezer_mutex
cgroup_file_write() {
cgroup_procs_write() {
__cgroup_procs_write() {
cgroup_procs_write_start() {
cgroup_attach_lock() {
cpus_read_lock() {
percpu_down_read(&cpu_hotplug_lock);
}
percpu_down_write(&cgroup_threadgroup_rwsem);
}
}
cgroup_attach_task() {
cgroup_migrate() {
cgroup_migrate_execute() {
freezer_attach() {
mutex_lock(&freezer_mutex);
(...snipped...)
}
}
}
}
(...snipped...)
}
}
}
freezer_mutex => cpu_hotplug_lock
cgroup_file_write() {
freezer_write() {
freezer_change_state() {
mutex_lock(&freezer_mutex);
freezer_apply_state() {
static_branch_inc(&freezer_active) {
static_key_slow_inc() {
cpus_read_lock();
static_key_slow_inc_cpuslocked();
cpus_read_unlock();
}
}
}
mutex_unlock(&freezer_mutex);
}
}
}
Swap locking order by moving cpus_read_lock() in freezer_apply_state()
to before mutex_lock(&freezer_mutex) in freezer_change_state().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/legacy_freezer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3756171b97c307d9df8b8ded1d883eec30172085",
"status": "affected",
"version": "f5d39b020809146cc28e6e73369bf8065e0310aa",
"versionType": "git"
},
{
"lessThan": "34fbb7b45bae20b551dda24337c7761ca13ce69d",
"status": "affected",
"version": "f5d39b020809146cc28e6e73369bf8065e0310aa",
"versionType": "git"
},
{
"lessThan": "57dcd64c7e036299ef526b400a8d12b8a2352f26",
"status": "affected",
"version": "f5d39b020809146cc28e6e73369bf8065e0310aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/legacy_freezer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup,freezer: hold cpu_hotplug_lock before freezer_mutex\n\nsyzbot is reporting circular locking dependency between cpu_hotplug_lock\nand freezer_mutex, for commit f5d39b020809 (\"freezer,sched: Rewrite core\nfreezer logic\") replaced atomic_inc() in freezer_apply_state() with\nstatic_branch_inc() which holds cpu_hotplug_lock.\n\ncpu_hotplug_lock =\u003e cgroup_threadgroup_rwsem =\u003e freezer_mutex\n\n cgroup_file_write() {\n cgroup_procs_write() {\n __cgroup_procs_write() {\n cgroup_procs_write_start() {\n cgroup_attach_lock() {\n cpus_read_lock() {\n percpu_down_read(\u0026cpu_hotplug_lock);\n }\n percpu_down_write(\u0026cgroup_threadgroup_rwsem);\n }\n }\n cgroup_attach_task() {\n cgroup_migrate() {\n cgroup_migrate_execute() {\n freezer_attach() {\n mutex_lock(\u0026freezer_mutex);\n (...snipped...)\n }\n }\n }\n }\n (...snipped...)\n }\n }\n }\n\nfreezer_mutex =\u003e cpu_hotplug_lock\n\n cgroup_file_write() {\n freezer_write() {\n freezer_change_state() {\n mutex_lock(\u0026freezer_mutex);\n freezer_apply_state() {\n static_branch_inc(\u0026freezer_active) {\n static_key_slow_inc() {\n cpus_read_lock();\n static_key_slow_inc_cpuslocked();\n cpus_read_unlock();\n }\n }\n }\n mutex_unlock(\u0026freezer_mutex);\n }\n }\n }\n\nSwap locking order by moving cpus_read_lock() in freezer_apply_state()\nto before mutex_lock(\u0026freezer_mutex) in freezer_change_state()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:08.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3756171b97c307d9df8b8ded1d883eec30172085"
},
{
"url": "https://git.kernel.org/stable/c/34fbb7b45bae20b551dda24337c7761ca13ce69d"
},
{
"url": "https://git.kernel.org/stable/c/57dcd64c7e036299ef526b400a8d12b8a2352f26"
}
],
"title": "cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53522",
"datePublished": "2025-10-01T11:46:08.909Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:08.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53473 (GCVE-0-2023-53473)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: improve error handling from ext4_dirhash()
The ext4_dirhash() will *almost* never fail, especially when the hash
tree feature was first introduced. However, with the addition of
support of encrypted, casefolded file names, that function can most
certainly fail today.
So make sure the callers of ext4_dirhash() properly check for
failures, and reflect the errors back up to their callers.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/hash.c",
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2531936118deb3f479c4fa1bcd787b74b8faa6a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f68876aeef96ef8b708ab10b9cb47ce0a5adb424",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "70d579aefa652a06af97e013e3fbbabbe5a43553",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c1fae027da61fe8e7eb99f7244297e81bc0f1e43",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b3cb1d108bfc2aebb0d7c8a52261a53cf7f5786",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/hash.c",
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: improve error handling from ext4_dirhash()\n\nThe ext4_dirhash() will *almost* never fail, especially when the hash\ntree feature was first introduced. However, with the addition of\nsupport of encrypted, casefolded file names, that function can most\ncertainly fail today.\n\nSo make sure the callers of ext4_dirhash() properly check for\nfailures, and reflect the errors back up to their callers."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:42.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2531936118deb3f479c4fa1bcd787b74b8faa6a"
},
{
"url": "https://git.kernel.org/stable/c/f68876aeef96ef8b708ab10b9cb47ce0a5adb424"
},
{
"url": "https://git.kernel.org/stable/c/70d579aefa652a06af97e013e3fbbabbe5a43553"
},
{
"url": "https://git.kernel.org/stable/c/c1fae027da61fe8e7eb99f7244297e81bc0f1e43"
},
{
"url": "https://git.kernel.org/stable/c/4b3cb1d108bfc2aebb0d7c8a52261a53cf7f5786"
}
],
"title": "ext4: improve error handling from ext4_dirhash()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53473",
"datePublished": "2025-10-01T11:42:42.875Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:42.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53502 (GCVE-0-2023-53502)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-01T13:08:20.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53502",
"datePublished": "2025-10-01T11:45:53.127Z",
"dateRejected": "2025-10-01T13:08:20.461Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T13:08:20.461Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50430 (GCVE-0-2022-50430)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
vub300_enable_sdio_irq() works with mutex and need TASK_RUNNING here.
Ensure that we mark current as TASK_RUNNING for sleepable context.
[ 77.554641] do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff92a72c1d>] sdio_irq_thread+0x17d/0x5b0
[ 77.554652] WARNING: CPU: 2 PID: 1983 at kernel/sched/core.c:9813 __might_sleep+0x116/0x160
[ 77.554905] CPU: 2 PID: 1983 Comm: ksdioirqd/mmc1 Tainted: G OE 6.1.0-rc5 #1
[ 77.554910] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020
[ 77.554912] RIP: 0010:__might_sleep+0x116/0x160
[ 77.554920] RSP: 0018:ffff888107b7fdb8 EFLAGS: 00010282
[ 77.554923] RAX: 0000000000000000 RBX: ffff888118c1b740 RCX: 0000000000000000
[ 77.554926] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffed1020f6ffa9
[ 77.554928] RBP: ffff888107b7fde0 R08: 0000000000000001 R09: ffffed1043ea60ba
[ 77.554930] R10: ffff88821f5305cb R11: ffffed1043ea60b9 R12: ffffffff93aa3a60
[ 77.554932] R13: 000000000000011b R14: 7fffffffffffffff R15: ffffffffc0558660
[ 77.554934] FS: 0000000000000000(0000) GS:ffff88821f500000(0000) knlGS:0000000000000000
[ 77.554937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 77.554939] CR2: 00007f8a44010d68 CR3: 000000024421a003 CR4: 00000000003706e0
[ 77.554942] Call Trace:
[ 77.554944] <TASK>
[ 77.554952] mutex_lock+0x78/0xf0
[ 77.554973] vub300_enable_sdio_irq+0x103/0x3c0 [vub300]
[ 77.554981] sdio_irq_thread+0x25c/0x5b0
[ 77.555006] kthread+0x2b8/0x370
[ 77.555017] ret_from_fork+0x1f/0x30
[ 77.555023] </TASK>
[ 77.555025] ---[ end trace 0000000000000000 ]---
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 Version: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/vub300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32d5af247d4de6a35769ca1d027480a37c28fd0c",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "48e91ae755f027d817ed7e51db9963ddb7081946",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "6f7258c6f66692b3760c37ddd4bc9e02bb290da7",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "f1c08947ab0538b07a0bd9d6edadfb5185f56344",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "b51d5fed9f53e07ce9fc65efb4ff1abe021a4c16",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "d58289fc77f8c1f879c818bddaf7ef524c73658b",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "d15946ef98f4ccdca961b76f90d9b53c454d590e",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "ba2e7d07dd06e646a72ba906a89fdc1cca7ea560",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "4a44cd249604e29e7b90ae796d7692f5773dd348",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/vub300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING\n\nvub300_enable_sdio_irq() works with mutex and need TASK_RUNNING here.\nEnsure that we mark current as TASK_RUNNING for sleepable context.\n\n[ 77.554641] do not call blocking ops when !TASK_RUNNING; state=1 set at [\u003cffffffff92a72c1d\u003e] sdio_irq_thread+0x17d/0x5b0\n[ 77.554652] WARNING: CPU: 2 PID: 1983 at kernel/sched/core.c:9813 __might_sleep+0x116/0x160\n[ 77.554905] CPU: 2 PID: 1983 Comm: ksdioirqd/mmc1 Tainted: G OE 6.1.0-rc5 #1\n[ 77.554910] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020\n[ 77.554912] RIP: 0010:__might_sleep+0x116/0x160\n[ 77.554920] RSP: 0018:ffff888107b7fdb8 EFLAGS: 00010282\n[ 77.554923] RAX: 0000000000000000 RBX: ffff888118c1b740 RCX: 0000000000000000\n[ 77.554926] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffed1020f6ffa9\n[ 77.554928] RBP: ffff888107b7fde0 R08: 0000000000000001 R09: ffffed1043ea60ba\n[ 77.554930] R10: ffff88821f5305cb R11: ffffed1043ea60b9 R12: ffffffff93aa3a60\n[ 77.554932] R13: 000000000000011b R14: 7fffffffffffffff R15: ffffffffc0558660\n[ 77.554934] FS: 0000000000000000(0000) GS:ffff88821f500000(0000) knlGS:0000000000000000\n[ 77.554937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 77.554939] CR2: 00007f8a44010d68 CR3: 000000024421a003 CR4: 00000000003706e0\n[ 77.554942] Call Trace:\n[ 77.554944] \u003cTASK\u003e\n[ 77.554952] mutex_lock+0x78/0xf0\n[ 77.554973] vub300_enable_sdio_irq+0x103/0x3c0 [vub300]\n[ 77.554981] sdio_irq_thread+0x25c/0x5b0\n[ 77.555006] kthread+0x2b8/0x370\n[ 77.555017] ret_from_fork+0x1f/0x30\n[ 77.555023] \u003c/TASK\u003e\n[ 77.555025] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:08.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32d5af247d4de6a35769ca1d027480a37c28fd0c"
},
{
"url": "https://git.kernel.org/stable/c/48e91ae755f027d817ed7e51db9963ddb7081946"
},
{
"url": "https://git.kernel.org/stable/c/6f7258c6f66692b3760c37ddd4bc9e02bb290da7"
},
{
"url": "https://git.kernel.org/stable/c/f1c08947ab0538b07a0bd9d6edadfb5185f56344"
},
{
"url": "https://git.kernel.org/stable/c/b51d5fed9f53e07ce9fc65efb4ff1abe021a4c16"
},
{
"url": "https://git.kernel.org/stable/c/d58289fc77f8c1f879c818bddaf7ef524c73658b"
},
{
"url": "https://git.kernel.org/stable/c/d15946ef98f4ccdca961b76f90d9b53c454d590e"
},
{
"url": "https://git.kernel.org/stable/c/ba2e7d07dd06e646a72ba906a89fdc1cca7ea560"
},
{
"url": "https://git.kernel.org/stable/c/4a44cd249604e29e7b90ae796d7692f5773dd348"
}
],
"title": "mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50430",
"datePublished": "2025-10-01T11:42:08.708Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:08.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53450 (GCVE-0-2023-53450)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: remove a BUG_ON in ext4_mb_release_group_pa()
If a malicious fuzzer overwrites the ext4 superblock while it is
mounted such that the s_first_data_block is set to a very large
number, the calculation of the block group can underflow, and trigger
a BUG_ON check. Change this to be an ext4_warning so that we don't
crash the kernel.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5bf8f7fb3ee3d99d1303ceb54599ea0599a4a5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef16d8a1798db1a1604ac44ca1bd73ec6bebf483",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "185062a21976fbc38f2efd296951b02c4500cf65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b0fc279de4bf17e1710bb7e83906538ff8f11111",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "978e5e9111af18741449b81fefd531a622dd969a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d87a4e4094c9879fc8acdff8ce59fdffa979c8e0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf2a16eb4e6d06124bd8436d4546f61539a65f29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53c14e7cc2257191ba15425c15638fc4f8abb92b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "463808f237cf73e98a1a45ff7460c2406a150a0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: remove a BUG_ON in ext4_mb_release_group_pa()\n\nIf a malicious fuzzer overwrites the ext4 superblock while it is\nmounted such that the s_first_data_block is set to a very large\nnumber, the calculation of the block group can underflow, and trigger\na BUG_ON check. Change this to be an ext4_warning so that we don\u0027t\ncrash the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:22.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5bf8f7fb3ee3d99d1303ceb54599ea0599a4a5b"
},
{
"url": "https://git.kernel.org/stable/c/ef16d8a1798db1a1604ac44ca1bd73ec6bebf483"
},
{
"url": "https://git.kernel.org/stable/c/185062a21976fbc38f2efd296951b02c4500cf65"
},
{
"url": "https://git.kernel.org/stable/c/b0fc279de4bf17e1710bb7e83906538ff8f11111"
},
{
"url": "https://git.kernel.org/stable/c/978e5e9111af18741449b81fefd531a622dd969a"
},
{
"url": "https://git.kernel.org/stable/c/d87a4e4094c9879fc8acdff8ce59fdffa979c8e0"
},
{
"url": "https://git.kernel.org/stable/c/bf2a16eb4e6d06124bd8436d4546f61539a65f29"
},
{
"url": "https://git.kernel.org/stable/c/53c14e7cc2257191ba15425c15638fc4f8abb92b"
},
{
"url": "https://git.kernel.org/stable/c/463808f237cf73e98a1a45ff7460c2406a150a0b"
}
],
"title": "ext4: remove a BUG_ON in ext4_mb_release_group_pa()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53450",
"datePublished": "2025-10-01T11:42:22.074Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:22.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53475 (GCVE-0-2023-53475)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: tegra: fix sleep in atomic call
When we set the dual-role port to Host mode, we observed the following
splat:
[ 167.057718] BUG: sleeping function called from invalid context at
include/linux/sched/mm.h:229
[ 167.057872] Workqueue: events tegra_xusb_usb_phy_work
[ 167.057954] Call trace:
[ 167.057962] dump_backtrace+0x0/0x210
[ 167.057996] show_stack+0x30/0x50
[ 167.058020] dump_stack_lvl+0x64/0x84
[ 167.058065] dump_stack+0x14/0x34
[ 167.058100] __might_resched+0x144/0x180
[ 167.058140] __might_sleep+0x64/0xd0
[ 167.058171] slab_pre_alloc_hook.constprop.0+0xa8/0x110
[ 167.058202] __kmalloc_track_caller+0x74/0x2b0
[ 167.058233] kvasprintf+0xa4/0x190
[ 167.058261] kasprintf+0x58/0x90
[ 167.058285] tegra_xusb_find_port_node.isra.0+0x58/0xd0
[ 167.058334] tegra_xusb_find_port+0x38/0xa0
[ 167.058380] tegra_xusb_padctl_get_usb3_companion+0x38/0xd0
[ 167.058430] tegra_xhci_id_notify+0x8c/0x1e0
[ 167.058473] notifier_call_chain+0x88/0x100
[ 167.058506] atomic_notifier_call_chain+0x44/0x70
[ 167.058537] tegra_xusb_usb_phy_work+0x60/0xd0
[ 167.058581] process_one_work+0x1dc/0x4c0
[ 167.058618] worker_thread+0x54/0x410
[ 167.058650] kthread+0x188/0x1b0
[ 167.058672] ret_from_fork+0x10/0x20
The function tegra_xusb_padctl_get_usb3_companion eventually calls
tegra_xusb_find_port and this in turn calls kasprintf which might sleep
and so cannot be called from an atomic context.
Fix this by moving the call to tegra_xusb_padctl_get_usb3_companion to
the tegra_xhci_id_work function where it is really needed.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: f836e7843036fbf34320356e156cd4267fa5bfa2 Version: f836e7843036fbf34320356e156cd4267fa5bfa2 Version: f836e7843036fbf34320356e156cd4267fa5bfa2 Version: f836e7843036fbf34320356e156cd4267fa5bfa2 Version: f836e7843036fbf34320356e156cd4267fa5bfa2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-tegra.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4b4f17aa46c025da77aed5133b08971959c9684",
"status": "affected",
"version": "f836e7843036fbf34320356e156cd4267fa5bfa2",
"versionType": "git"
},
{
"lessThan": "1122474b757a5dd8b2b50008a97f33cdb10dff6e",
"status": "affected",
"version": "f836e7843036fbf34320356e156cd4267fa5bfa2",
"versionType": "git"
},
{
"lessThan": "130c61c516cd0684282a8f6ab163281d60642fc5",
"status": "affected",
"version": "f836e7843036fbf34320356e156cd4267fa5bfa2",
"versionType": "git"
},
{
"lessThan": "1fe6015aa92cc0dfd875c1d3c7c1750a1b0767d9",
"status": "affected",
"version": "f836e7843036fbf34320356e156cd4267fa5bfa2",
"versionType": "git"
},
{
"lessThan": "4c7f9d2e413dc06a157c4e5dccde84aaf4655eb3",
"status": "affected",
"version": "f836e7843036fbf34320356e156cd4267fa5bfa2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-tegra.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: tegra: fix sleep in atomic call\n\nWhen we set the dual-role port to Host mode, we observed the following\nsplat:\n[ 167.057718] BUG: sleeping function called from invalid context at\ninclude/linux/sched/mm.h:229\n[ 167.057872] Workqueue: events tegra_xusb_usb_phy_work\n[ 167.057954] Call trace:\n[ 167.057962] dump_backtrace+0x0/0x210\n[ 167.057996] show_stack+0x30/0x50\n[ 167.058020] dump_stack_lvl+0x64/0x84\n[ 167.058065] dump_stack+0x14/0x34\n[ 167.058100] __might_resched+0x144/0x180\n[ 167.058140] __might_sleep+0x64/0xd0\n[ 167.058171] slab_pre_alloc_hook.constprop.0+0xa8/0x110\n[ 167.058202] __kmalloc_track_caller+0x74/0x2b0\n[ 167.058233] kvasprintf+0xa4/0x190\n[ 167.058261] kasprintf+0x58/0x90\n[ 167.058285] tegra_xusb_find_port_node.isra.0+0x58/0xd0\n[ 167.058334] tegra_xusb_find_port+0x38/0xa0\n[ 167.058380] tegra_xusb_padctl_get_usb3_companion+0x38/0xd0\n[ 167.058430] tegra_xhci_id_notify+0x8c/0x1e0\n[ 167.058473] notifier_call_chain+0x88/0x100\n[ 167.058506] atomic_notifier_call_chain+0x44/0x70\n[ 167.058537] tegra_xusb_usb_phy_work+0x60/0xd0\n[ 167.058581] process_one_work+0x1dc/0x4c0\n[ 167.058618] worker_thread+0x54/0x410\n[ 167.058650] kthread+0x188/0x1b0\n[ 167.058672] ret_from_fork+0x10/0x20\n\nThe function tegra_xusb_padctl_get_usb3_companion eventually calls\ntegra_xusb_find_port and this in turn calls kasprintf which might sleep\nand so cannot be called from an atomic context.\n\nFix this by moving the call to tegra_xusb_padctl_get_usb3_companion to\nthe tegra_xhci_id_work function where it is really needed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:44.604Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4b4f17aa46c025da77aed5133b08971959c9684"
},
{
"url": "https://git.kernel.org/stable/c/1122474b757a5dd8b2b50008a97f33cdb10dff6e"
},
{
"url": "https://git.kernel.org/stable/c/130c61c516cd0684282a8f6ab163281d60642fc5"
},
{
"url": "https://git.kernel.org/stable/c/1fe6015aa92cc0dfd875c1d3c7c1750a1b0767d9"
},
{
"url": "https://git.kernel.org/stable/c/4c7f9d2e413dc06a157c4e5dccde84aaf4655eb3"
}
],
"title": "usb: xhci: tegra: fix sleep in atomic call",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53475",
"datePublished": "2025-10-01T11:42:44.604Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:44.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53528 (GCVE-0-2023-53528)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix unsafe drain work queue code
If create_qp does not fully succeed it is possible for qp cleanup
code to attempt to drain the send or recv work queues before the
queues have been created causing a seg fault. This patch checks
to see if the queues exist before attempting to drain them.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c",
"drivers/infiniband/sw/rxe/rxe_resp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da572f6313aeead1f79e0810666bd8d8ffc794d4",
"status": "affected",
"version": "49dc9c1f0c7e396654a31a480328fffd902fa494",
"versionType": "git"
},
{
"lessThan": "d366642b3099bd322375f5b71ba84ab1d586cd6d",
"status": "affected",
"version": "49dc9c1f0c7e396654a31a480328fffd902fa494",
"versionType": "git"
},
{
"lessThan": "5993b75d0bc71cd2b441d174b028fc36180f032c",
"status": "affected",
"version": "49dc9c1f0c7e396654a31a480328fffd902fa494",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c",
"drivers/infiniband/sw/rxe/rxe_resp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix unsafe drain work queue code\n\nIf create_qp does not fully succeed it is possible for qp cleanup\ncode to attempt to drain the send or recv work queues before the\nqueues have been created causing a seg fault. This patch checks\nto see if the queues exist before attempting to drain them."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:13.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da572f6313aeead1f79e0810666bd8d8ffc794d4"
},
{
"url": "https://git.kernel.org/stable/c/d366642b3099bd322375f5b71ba84ab1d586cd6d"
},
{
"url": "https://git.kernel.org/stable/c/5993b75d0bc71cd2b441d174b028fc36180f032c"
}
],
"title": "RDMA/rxe: Fix unsafe drain work queue code",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53528",
"datePublished": "2025-10-01T11:46:13.504Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-01T11:46:13.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50442 (GCVE-0-2022-50442)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Validate buffer length while parsing index
indx_read is called when we have some NTFS directory operations that
need more information from the index buffers. This adds a sanity check
to make sure the returned index buffer length is legit, or we may have
some out-of-bound memory accesses.
[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320
[ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245
[ 560.898760]
[ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37
[ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 560.900170] Call Trace:
[ 560.900407] <TASK>
[ 560.900732] dump_stack_lvl+0x49/0x63
[ 560.901108] print_report.cold+0xf5/0x689
[ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320
[ 560.901716] kasan_report+0xa7/0x130
[ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320
[ 560.902208] __asan_load2+0x68/0x90
[ 560.902427] hdr_find_e.isra.0+0x10c/0x320
[ 560.902846] ? cmp_uints+0xe0/0xe0
[ 560.903363] ? cmp_sdh+0x90/0x90
[ 560.903883] ? ntfs_bread_run+0x190/0x190
[ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750
[ 560.904969] ? ntfs_fix_post_read+0xe0/0x130
[ 560.905259] ? __kasan_check_write+0x14/0x20
[ 560.905599] ? up_read+0x1a/0x90
[ 560.905853] ? indx_read+0x22c/0x380
[ 560.906096] indx_find+0x2ef/0x470
[ 560.906352] ? indx_find_buffer+0x2d0/0x2d0
[ 560.906692] ? __kasan_kmalloc+0x88/0xb0
[ 560.906977] dir_search_u+0x196/0x2f0
[ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450
[ 560.907464] ? __kasan_check_write+0x14/0x20
[ 560.907747] ? mutex_lock+0x8f/0xe0
[ 560.907970] ? __mutex_lock_slowpath+0x20/0x20
[ 560.908214] ? kmem_cache_alloc+0x143/0x4b0
[ 560.908459] ntfs_lookup+0xe0/0x100
[ 560.908788] __lookup_slow+0x116/0x220
[ 560.909050] ? lookup_fast+0x1b0/0x1b0
[ 560.909309] ? lookup_fast+0x13f/0x1b0
[ 560.909601] walk_component+0x187/0x230
[ 560.909944] link_path_walk.part.0+0x3f0/0x660
[ 560.910285] ? handle_lookup_down+0x90/0x90
[ 560.910618] ? path_init+0x642/0x6e0
[ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0
[ 560.912559] ? __alloc_file+0x114/0x170
[ 560.913008] path_openat+0x19c/0x1d10
[ 560.913419] ? getname_flags+0x73/0x2b0
[ 560.913815] ? kasan_save_stack+0x3a/0x50
[ 560.914125] ? kasan_save_stack+0x26/0x50
[ 560.914542] ? __kasan_slab_alloc+0x6d/0x90
[ 560.914924] ? kmem_cache_alloc+0x143/0x4b0
[ 560.915339] ? getname_flags+0x73/0x2b0
[ 560.915647] ? getname+0x12/0x20
[ 560.916114] ? __x64_sys_open+0x4c/0x60
[ 560.916460] ? path_lookupat.isra.0+0x230/0x230
[ 560.916867] ? __isolate_free_page+0x2e0/0x2e0
[ 560.917194] do_filp_open+0x15c/0x1f0
[ 560.917448] ? may_open_dev+0x60/0x60
[ 560.917696] ? expand_files+0xa4/0x3a0
[ 560.917923] ? __kasan_check_write+0x14/0x20
[ 560.918185] ? _raw_spin_lock+0x88/0xdb
[ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100
[ 560.918783] ? _find_next_bit+0x4a/0x130
[ 560.919026] ? _raw_spin_unlock+0x19/0x40
[ 560.919276] ? alloc_fd+0x14b/0x2d0
[ 560.919635] do_sys_openat2+0x32a/0x4b0
[ 560.920035] ? file_open_root+0x230/0x230
[ 560.920336] ? __rcu_read_unlock+0x5b/0x280
[ 560.920813] do_sys_open+0x99/0xf0
[ 560.921208] ? filp_open+0x60/0x60
[ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180
[ 560.921867] __x64_sys_open+0x4c/0x60
[ 560.922128] do_syscall_64+0x3b/0x90
[ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 560.923030] RIP: 0033:0x7f7dff2e4469
[ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088
[ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002
[ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469
[ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI:
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/index.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3cd9e5b41b83bb57ac3cf9888f9fef2a6ef8ed96",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "b15374365c9d10445ea7d66cdf885457a0223fc2",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "3f6f75e8863f41c8b3dbfd9d99e3963aaca42601",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "4d42ecda239cc13738d6fd84d098a32e67b368b9",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/index.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate buffer length while parsing index\n\nindx_read is called when we have some NTFS directory operations that\nneed more information from the index buffers. This adds a sanity check\nto make sure the returned index buffer length is legit, or we may have\nsome out-of-bound memory accesses.\n\n[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320\n[ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245\n[ 560.898760]\n[ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37\n[ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 560.900170] Call Trace:\n[ 560.900407] \u003cTASK\u003e\n[ 560.900732] dump_stack_lvl+0x49/0x63\n[ 560.901108] print_report.cold+0xf5/0x689\n[ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320\n[ 560.901716] kasan_report+0xa7/0x130\n[ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320\n[ 560.902208] __asan_load2+0x68/0x90\n[ 560.902427] hdr_find_e.isra.0+0x10c/0x320\n[ 560.902846] ? cmp_uints+0xe0/0xe0\n[ 560.903363] ? cmp_sdh+0x90/0x90\n[ 560.903883] ? ntfs_bread_run+0x190/0x190\n[ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750\n[ 560.904969] ? ntfs_fix_post_read+0xe0/0x130\n[ 560.905259] ? __kasan_check_write+0x14/0x20\n[ 560.905599] ? up_read+0x1a/0x90\n[ 560.905853] ? indx_read+0x22c/0x380\n[ 560.906096] indx_find+0x2ef/0x470\n[ 560.906352] ? indx_find_buffer+0x2d0/0x2d0\n[ 560.906692] ? __kasan_kmalloc+0x88/0xb0\n[ 560.906977] dir_search_u+0x196/0x2f0\n[ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450\n[ 560.907464] ? __kasan_check_write+0x14/0x20\n[ 560.907747] ? mutex_lock+0x8f/0xe0\n[ 560.907970] ? __mutex_lock_slowpath+0x20/0x20\n[ 560.908214] ? kmem_cache_alloc+0x143/0x4b0\n[ 560.908459] ntfs_lookup+0xe0/0x100\n[ 560.908788] __lookup_slow+0x116/0x220\n[ 560.909050] ? lookup_fast+0x1b0/0x1b0\n[ 560.909309] ? lookup_fast+0x13f/0x1b0\n[ 560.909601] walk_component+0x187/0x230\n[ 560.909944] link_path_walk.part.0+0x3f0/0x660\n[ 560.910285] ? handle_lookup_down+0x90/0x90\n[ 560.910618] ? path_init+0x642/0x6e0\n[ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0\n[ 560.912559] ? __alloc_file+0x114/0x170\n[ 560.913008] path_openat+0x19c/0x1d10\n[ 560.913419] ? getname_flags+0x73/0x2b0\n[ 560.913815] ? kasan_save_stack+0x3a/0x50\n[ 560.914125] ? kasan_save_stack+0x26/0x50\n[ 560.914542] ? __kasan_slab_alloc+0x6d/0x90\n[ 560.914924] ? kmem_cache_alloc+0x143/0x4b0\n[ 560.915339] ? getname_flags+0x73/0x2b0\n[ 560.915647] ? getname+0x12/0x20\n[ 560.916114] ? __x64_sys_open+0x4c/0x60\n[ 560.916460] ? path_lookupat.isra.0+0x230/0x230\n[ 560.916867] ? __isolate_free_page+0x2e0/0x2e0\n[ 560.917194] do_filp_open+0x15c/0x1f0\n[ 560.917448] ? may_open_dev+0x60/0x60\n[ 560.917696] ? expand_files+0xa4/0x3a0\n[ 560.917923] ? __kasan_check_write+0x14/0x20\n[ 560.918185] ? _raw_spin_lock+0x88/0xdb\n[ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100\n[ 560.918783] ? _find_next_bit+0x4a/0x130\n[ 560.919026] ? _raw_spin_unlock+0x19/0x40\n[ 560.919276] ? alloc_fd+0x14b/0x2d0\n[ 560.919635] do_sys_openat2+0x32a/0x4b0\n[ 560.920035] ? file_open_root+0x230/0x230\n[ 560.920336] ? __rcu_read_unlock+0x5b/0x280\n[ 560.920813] do_sys_open+0x99/0xf0\n[ 560.921208] ? filp_open+0x60/0x60\n[ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180\n[ 560.921867] __x64_sys_open+0x4c/0x60\n[ 560.922128] do_syscall_64+0x3b/0x90\n[ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 560.923030] RIP: 0033:0x7f7dff2e4469\n[ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002\n[ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469\n[ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI:\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:16.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3cd9e5b41b83bb57ac3cf9888f9fef2a6ef8ed96"
},
{
"url": "https://git.kernel.org/stable/c/b15374365c9d10445ea7d66cdf885457a0223fc2"
},
{
"url": "https://git.kernel.org/stable/c/3f6f75e8863f41c8b3dbfd9d99e3963aaca42601"
},
{
"url": "https://git.kernel.org/stable/c/4d42ecda239cc13738d6fd84d098a32e67b368b9"
}
],
"title": "fs/ntfs3: Validate buffer length while parsing index",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50442",
"datePublished": "2025-10-01T11:42:18.012Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-02T07:04:16.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53458 (GCVE-0-2023-53458)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()
When the driver calls cx23885_risc_buffer() to prepare the buffer, the
function call dma_alloc_coherent may fail, resulting in a empty buffer
risc->cpu. Later when we free the buffer or access the buffer, null ptr
deref is triggered.
This bug is similar to the following one:
https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.
We believe the bug can be also dynamically triggered from user side.
Similarly, we fix this by checking the return value of cx23885_risc_buffer()
and the value of risc->cpu before buffer free.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/cx23885/cx23885-core.c",
"drivers/media/pci/cx23885/cx23885-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f0a06203f2fe63f04311467200c99c4ee1926578",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6738841f6fcf23e9fc30e2449f32fc84ee19c6f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b8e5e28e85a546dfccc3895befe0e823fdd7c89",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47e8b73bc35d7c54642f78e498697692f6358996",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/cx23885/cx23885-core.c",
"drivers/media/pci/cx23885/cx23885-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()\n\nWhen the driver calls cx23885_risc_buffer() to prepare the buffer, the\nfunction call dma_alloc_coherent may fail, resulting in a empty buffer\nrisc-\u003ecpu. Later when we free the buffer or access the buffer, null ptr\nderef is triggered.\n\nThis bug is similar to the following one:\nhttps://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.\n\nWe believe the bug can be also dynamically triggered from user side.\nSimilarly, we fix this by checking the return value of cx23885_risc_buffer()\nand the value of risc-\u003ecpu before buffer free."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:29.665Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f0a06203f2fe63f04311467200c99c4ee1926578"
},
{
"url": "https://git.kernel.org/stable/c/6738841f6fcf23e9fc30e2449f32fc84ee19c6f1"
},
{
"url": "https://git.kernel.org/stable/c/5b8e5e28e85a546dfccc3895befe0e823fdd7c89"
},
{
"url": "https://git.kernel.org/stable/c/47e8b73bc35d7c54642f78e498697692f6358996"
}
],
"title": "media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53458",
"datePublished": "2025-10-01T11:42:29.665Z",
"dateReserved": "2025-10-01T11:39:39.399Z",
"dateUpdated": "2025-10-01T11:42:29.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53461 (GCVE-0-2023-53461)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: wait interruptibly for request completions on exit
WHen the ring exits, cleanup is done and the final cancelation and
waiting on completions is done by io_ring_exit_work. That function is
invoked by kworker, which doesn't take any signals. Because of that, it
doesn't really matter if we wait for completions in TASK_INTERRUPTIBLE
or TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task
detection checker!
Normally we expect cancelations and completions to happen rather
quickly. Some test cases, however, will exit the ring and park the
owning task stopped (eg via SIGSTOP). If the owning task needs to run
task_work to complete requests, then io_ring_exit_work won't make any
progress until the task is runnable again. Hence io_ring_exit_work can
trigger the hung task detection, which is particularly problematic if
panic-on-hung-task is enabled.
As the ring exit doesn't take signals to begin with, have it wait
interruptibly rather than uninterruptibly. io_uring has a separate
stuck-exit warning that triggers independently anyway, so we're not
really missing anything by making this switch.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2b188cc1bb857a9d4701ae59aa7768b5124e262e Version: 2b188cc1bb857a9d4701ae59aa7768b5124e262e Version: 2b188cc1bb857a9d4701ae59aa7768b5124e262e Version: 2b188cc1bb857a9d4701ae59aa7768b5124e262e Version: 2b188cc1bb857a9d4701ae59aa7768b5124e262e |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "28e649dc9947e6525c95e32aa9a8e147925e3f56",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "8e29835366138389bfad3b31ea06960d0a77bf77",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "b50d6e06cca7b67a3d73ca660dda27662b76e6ea",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "58e80cb68b057e974768792c34708c6957810486",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "4826c59453b3b4677d6bf72814e7ababdea86949",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: wait interruptibly for request completions on exit\n\nWHen the ring exits, cleanup is done and the final cancelation and\nwaiting on completions is done by io_ring_exit_work. That function is\ninvoked by kworker, which doesn\u0027t take any signals. Because of that, it\ndoesn\u0027t really matter if we wait for completions in TASK_INTERRUPTIBLE\nor TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task\ndetection checker!\n\nNormally we expect cancelations and completions to happen rather\nquickly. Some test cases, however, will exit the ring and park the\nowning task stopped (eg via SIGSTOP). If the owning task needs to run\ntask_work to complete requests, then io_ring_exit_work won\u0027t make any\nprogress until the task is runnable again. Hence io_ring_exit_work can\ntrigger the hung task detection, which is particularly problematic if\npanic-on-hung-task is enabled.\n\nAs the ring exit doesn\u0027t take signals to begin with, have it wait\ninterruptibly rather than uninterruptibly. io_uring has a separate\nstuck-exit warning that triggers independently anyway, so we\u0027re not\nreally missing anything by making this switch."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:22.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/28e649dc9947e6525c95e32aa9a8e147925e3f56"
},
{
"url": "https://git.kernel.org/stable/c/8e29835366138389bfad3b31ea06960d0a77bf77"
},
{
"url": "https://git.kernel.org/stable/c/b50d6e06cca7b67a3d73ca660dda27662b76e6ea"
},
{
"url": "https://git.kernel.org/stable/c/58e80cb68b057e974768792c34708c6957810486"
},
{
"url": "https://git.kernel.org/stable/c/4826c59453b3b4677d6bf72814e7ababdea86949"
}
],
"title": "io_uring: wait interruptibly for request completions on exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53461",
"datePublished": "2025-10-01T11:42:32.525Z",
"dateReserved": "2025-10-01T11:39:39.399Z",
"dateUpdated": "2025-10-02T07:04:22.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53500 (GCVE-0-2023-53500)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix slab-use-after-free in decode_session6
When the xfrm device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when the xfrm device sends IPv6 packets.
The stack information is as follows:
BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
Read of size 1 at addr ffff8881111458ef by task swapper/3/0
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11d/0x130
decode_session6+0x103f/0x1890
__xfrm_decode_session+0x54/0xb0
xfrmi_xmit+0x173/0x1ca0
dev_hard_start_xmit+0x187/0x700
sch_direct_xmit+0x1a3/0xc30
__qdisc_run+0x510/0x17a0
__dev_queue_xmit+0x2215/0x3b10
neigh_connected_output+0x3c2/0x550
ip6_finish_output2+0x55a/0x1550
ip6_finish_output+0x6b9/0x1270
ip6_output+0x1f1/0x540
ndisc_send_skb+0xa63/0x1890
ndisc_send_rs+0x132/0x6f0
addrconf_rs_timer+0x3f1/0x870
call_timer_fn+0x1a0/0x580
expire_timers+0x29b/0x4b0
run_timer_softirq+0x326/0x910
__do_softirq+0x1d4/0x905
irq_exit_rcu+0xb7/0x120
sysvec_apic_timer_interrupt+0x97/0xc0
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:intel_idle_hlt+0x23/0x30
Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 <fa> 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4
RSP: 0018:ffffc90000197d78 EFLAGS: 00000246
RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5
RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50
RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d
R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000
cpuidle_enter_state+0xd3/0x6f0
cpuidle_enter+0x4e/0xa0
do_idle+0x2fe/0x3c0
cpu_startup_entry+0x18/0x20
start_secondary+0x200/0x290
secondary_startup_64_no_verify+0x167/0x16b
</TASK>
Allocated by task 939:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x1cd/0x410
kmalloc_reserve+0x165/0x270
__alloc_skb+0x129/0x330
inet6_ifa_notify+0x118/0x230
__ipv6_ifa_notify+0x177/0xbe0
addrconf_dad_completed+0x133/0xe00
addrconf_dad_work+0x764/0x1390
process_one_work+0xa32/0x16f0
worker_thread+0x67d/0x10c0
kthread+0x344/0x440
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888111145800
which belongs to the cache skbuff_small_head of size 640
The buggy address is located 239 bytes inside of
freed 640-byte region [ffff888111145800, ffff888111145a80)
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da4cbaa75ed088b6d70db77b9103a27e2359e243",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "db0e50741f0387f388e9ec824ea7ae8456554d5b",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "bafa236380816b41b2c4c6970d9067fefa4a6c9e",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "44b3d40967009304617a7a6486490c1d6c12f899",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "0d27567fde5be5f0edc2db5c110142b7915b8fa8",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "86f15300a22656db3fa8c8967defbcd24fac4d37",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "53223f2ed1ef5c90dad814daaaefea4e68a933c8",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix slab-use-after-free in decode_session6\n\nWhen the xfrm device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when the xfrm device sends IPv6 packets.\n\nThe stack information is as follows:\nBUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890\nRead of size 1 at addr ffff8881111458ef by task swapper/3/0\nCPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl+0xd9/0x150\nprint_address_description.constprop.0+0x2c/0x3c0\nkasan_report+0x11d/0x130\ndecode_session6+0x103f/0x1890\n__xfrm_decode_session+0x54/0xb0\nxfrmi_xmit+0x173/0x1ca0\ndev_hard_start_xmit+0x187/0x700\nsch_direct_xmit+0x1a3/0xc30\n__qdisc_run+0x510/0x17a0\n__dev_queue_xmit+0x2215/0x3b10\nneigh_connected_output+0x3c2/0x550\nip6_finish_output2+0x55a/0x1550\nip6_finish_output+0x6b9/0x1270\nip6_output+0x1f1/0x540\nndisc_send_skb+0xa63/0x1890\nndisc_send_rs+0x132/0x6f0\naddrconf_rs_timer+0x3f1/0x870\ncall_timer_fn+0x1a0/0x580\nexpire_timers+0x29b/0x4b0\nrun_timer_softirq+0x326/0x910\n__do_softirq+0x1d4/0x905\nirq_exit_rcu+0xb7/0x120\nsysvec_apic_timer_interrupt+0x97/0xc0\n\u003c/IRQ\u003e\n\u003cTASK\u003e\nasm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:intel_idle_hlt+0x23/0x30\nCode: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 \u003cfa\u003e 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4\nRSP: 0018:ffffc90000197d78 EFLAGS: 00000246\nRAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5\nRDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50\nRBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d\nR10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001\nR13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000\ncpuidle_enter_state+0xd3/0x6f0\ncpuidle_enter+0x4e/0xa0\ndo_idle+0x2fe/0x3c0\ncpu_startup_entry+0x18/0x20\nstart_secondary+0x200/0x290\nsecondary_startup_64_no_verify+0x167/0x16b\n\u003c/TASK\u003e\nAllocated by task 939:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\n__kasan_slab_alloc+0x7f/0x90\nkmem_cache_alloc_node+0x1cd/0x410\nkmalloc_reserve+0x165/0x270\n__alloc_skb+0x129/0x330\ninet6_ifa_notify+0x118/0x230\n__ipv6_ifa_notify+0x177/0xbe0\naddrconf_dad_completed+0x133/0xe00\naddrconf_dad_work+0x764/0x1390\nprocess_one_work+0xa32/0x16f0\nworker_thread+0x67d/0x10c0\nkthread+0x344/0x440\nret_from_fork+0x1f/0x30\nThe buggy address belongs to the object at ffff888111145800\nwhich belongs to the cache skbuff_small_head of size 640\nThe buggy address is located 239 bytes inside of\nfreed 640-byte region [ffff888111145800, ffff888111145a80)\n\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)-\u003enhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:51.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da4cbaa75ed088b6d70db77b9103a27e2359e243"
},
{
"url": "https://git.kernel.org/stable/c/db0e50741f0387f388e9ec824ea7ae8456554d5b"
},
{
"url": "https://git.kernel.org/stable/c/bafa236380816b41b2c4c6970d9067fefa4a6c9e"
},
{
"url": "https://git.kernel.org/stable/c/44b3d40967009304617a7a6486490c1d6c12f899"
},
{
"url": "https://git.kernel.org/stable/c/0d27567fde5be5f0edc2db5c110142b7915b8fa8"
},
{
"url": "https://git.kernel.org/stable/c/86f15300a22656db3fa8c8967defbcd24fac4d37"
},
{
"url": "https://git.kernel.org/stable/c/53223f2ed1ef5c90dad814daaaefea4e68a933c8"
}
],
"title": "xfrm: fix slab-use-after-free in decode_session6",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53500",
"datePublished": "2025-10-01T11:45:51.182Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:51.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53455 (GCVE-0-2023-53455)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vc4: drop all currently held locks if deadlock happens
If vc4_hdmi_reset_link() returns -EDEADLK, it means that a deadlock
happened in the locking context. This situation should be addressed by
dropping all currently held locks and block until the contended lock
becomes available. Currently, vc4 is not dealing with the deadlock
properly, producing the following output when PROVE_LOCKING is enabled:
[ 825.612809] ------------[ cut here ]------------
[ 825.612852] WARNING: CPU: 1 PID: 116 at drivers/gpu/drm/drm_modeset_lock.c:276 drm_modeset_drop_locks+0x60/0x68 [drm]
[ 825.613458] Modules linked in: 8021q mrp garp stp llc
raspberrypi_cpufreq brcmfmac brcmutil crct10dif_ce hci_uart cfg80211
btqca btbcm bluetooth vc4 raspberrypi_hwmon snd_soc_hdmi_codec cec
clk_raspberrypi ecdh_generic drm_display_helper ecc rfkill
drm_dma_helper drm_kms_helper pwm_bcm2835 bcm2835_thermal bcm2835_rng
rng_core i2c_bcm2835 drm fuse ip_tables x_tables ipv6
[ 825.613735] CPU: 1 PID: 116 Comm: kworker/1:2 Tainted: G W 6.1.0-rc6-01399-g941aae326315 #3
[ 825.613759] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[ 825.613777] Workqueue: events output_poll_execute [drm_kms_helper]
[ 825.614038] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 825.614063] pc : drm_modeset_drop_locks+0x60/0x68 [drm]
[ 825.614603] lr : drm_helper_probe_detect+0x120/0x1b4 [drm_kms_helper]
[ 825.614829] sp : ffff800008313bf0
[ 825.614844] x29: ffff800008313bf0 x28: ffffcd7778b8b000 x27: 0000000000000000
[ 825.614883] x26: 0000000000000001 x25: 0000000000000001 x24: ffff677cc35c2758
[ 825.614920] x23: ffffcd7707d01430 x22: ffffcd7707c3edc7 x21: 0000000000000001
[ 825.614958] x20: 0000000000000000 x19: ffff800008313c10 x18: 000000000000b6d3
[ 825.614995] x17: ffffcd777835e214 x16: ffffcd7777cef870 x15: fffff81000000000
[ 825.615033] x14: 0000000000000000 x13: 0000000000000099 x12: 0000000000000002
[ 825.615070] x11: 72917988020af800 x10: 72917988020af800 x9 : 72917988020af800
[ 825.615108] x8 : ffff677cc665e0a8 x7 : d00a8c180000110c x6 : ffffcd77774c0054
[ 825.615145] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
[ 825.615181] x2 : ffff677cc55e1880 x1 : ffffcd7777cef8ec x0 : ffff800008313c10
[ 825.615219] Call trace:
[ 825.615232] drm_modeset_drop_locks+0x60/0x68 [drm]
[ 825.615773] drm_helper_probe_detect+0x120/0x1b4 [drm_kms_helper]
[ 825.616003] output_poll_execute+0xe4/0x224 [drm_kms_helper]
[ 825.616233] process_one_work+0x2b4/0x618
[ 825.616264] worker_thread+0x24c/0x464
[ 825.616288] kthread+0xec/0x110
[ 825.616310] ret_from_fork+0x10/0x20
[ 825.616335] irq event stamp: 7634
[ 825.616349] hardirqs last enabled at (7633): [<ffffcd777831ee90>] _raw_spin_unlock_irq+0x3c/0x78
[ 825.616384] hardirqs last disabled at (7634): [<ffffcd7778315a78>] __schedule+0x134/0x9f0
[ 825.616411] softirqs last enabled at (7630): [<ffffcd7707aacea0>] local_bh_enable+0x4/0x30 [ipv6]
[ 825.617019] softirqs last disabled at (7618): [<ffffcd7707aace70>] local_bh_disable+0x4/0x30 [ipv6]
[ 825.617586] ---[ end trace 0000000000000000 ]---
Therefore, deal with the deadlock as suggested by [1], using the
function drm_modeset_backoff().
[1] https://docs.kernel.org/gpu/drm-kms.html?highlight=kms#kms-locking
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vc4/vc4_hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "41286a53e7f54202fd277cd516724de3ab7497c7",
"status": "affected",
"version": "6bed2ea3cb3856edf37cca20753e689ee8774793",
"versionType": "git"
},
{
"lessThan": "f483eda89a2e717daa7b15c8ca228a209f65617b",
"status": "affected",
"version": "6bed2ea3cb3856edf37cca20753e689ee8774793",
"versionType": "git"
},
{
"lessThan": "479d4f0be4237ba33bc9432787aeb62c90e30f95",
"status": "affected",
"version": "6bed2ea3cb3856edf37cca20753e689ee8774793",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vc4/vc4_hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: drop all currently held locks if deadlock happens\n\nIf vc4_hdmi_reset_link() returns -EDEADLK, it means that a deadlock\nhappened in the locking context. This situation should be addressed by\ndropping all currently held locks and block until the contended lock\nbecomes available. Currently, vc4 is not dealing with the deadlock\nproperly, producing the following output when PROVE_LOCKING is enabled:\n\n[ 825.612809] ------------[ cut here ]------------\n[ 825.612852] WARNING: CPU: 1 PID: 116 at drivers/gpu/drm/drm_modeset_lock.c:276 drm_modeset_drop_locks+0x60/0x68 [drm]\n[ 825.613458] Modules linked in: 8021q mrp garp stp llc\nraspberrypi_cpufreq brcmfmac brcmutil crct10dif_ce hci_uart cfg80211\nbtqca btbcm bluetooth vc4 raspberrypi_hwmon snd_soc_hdmi_codec cec\nclk_raspberrypi ecdh_generic drm_display_helper ecc rfkill\ndrm_dma_helper drm_kms_helper pwm_bcm2835 bcm2835_thermal bcm2835_rng\nrng_core i2c_bcm2835 drm fuse ip_tables x_tables ipv6\n[ 825.613735] CPU: 1 PID: 116 Comm: kworker/1:2 Tainted: G W 6.1.0-rc6-01399-g941aae326315 #3\n[ 825.613759] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 825.613777] Workqueue: events output_poll_execute [drm_kms_helper]\n[ 825.614038] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 825.614063] pc : drm_modeset_drop_locks+0x60/0x68 [drm]\n[ 825.614603] lr : drm_helper_probe_detect+0x120/0x1b4 [drm_kms_helper]\n[ 825.614829] sp : ffff800008313bf0\n[ 825.614844] x29: ffff800008313bf0 x28: ffffcd7778b8b000 x27: 0000000000000000\n[ 825.614883] x26: 0000000000000001 x25: 0000000000000001 x24: ffff677cc35c2758\n[ 825.614920] x23: ffffcd7707d01430 x22: ffffcd7707c3edc7 x21: 0000000000000001\n[ 825.614958] x20: 0000000000000000 x19: ffff800008313c10 x18: 000000000000b6d3\n[ 825.614995] x17: ffffcd777835e214 x16: ffffcd7777cef870 x15: fffff81000000000\n[ 825.615033] x14: 0000000000000000 x13: 0000000000000099 x12: 0000000000000002\n[ 825.615070] x11: 72917988020af800 x10: 72917988020af800 x9 : 72917988020af800\n[ 825.615108] x8 : ffff677cc665e0a8 x7 : d00a8c180000110c x6 : ffffcd77774c0054\n[ 825.615145] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\n[ 825.615181] x2 : ffff677cc55e1880 x1 : ffffcd7777cef8ec x0 : ffff800008313c10\n[ 825.615219] Call trace:\n[ 825.615232] drm_modeset_drop_locks+0x60/0x68 [drm]\n[ 825.615773] drm_helper_probe_detect+0x120/0x1b4 [drm_kms_helper]\n[ 825.616003] output_poll_execute+0xe4/0x224 [drm_kms_helper]\n[ 825.616233] process_one_work+0x2b4/0x618\n[ 825.616264] worker_thread+0x24c/0x464\n[ 825.616288] kthread+0xec/0x110\n[ 825.616310] ret_from_fork+0x10/0x20\n[ 825.616335] irq event stamp: 7634\n[ 825.616349] hardirqs last enabled at (7633): [\u003cffffcd777831ee90\u003e] _raw_spin_unlock_irq+0x3c/0x78\n[ 825.616384] hardirqs last disabled at (7634): [\u003cffffcd7778315a78\u003e] __schedule+0x134/0x9f0\n[ 825.616411] softirqs last enabled at (7630): [\u003cffffcd7707aacea0\u003e] local_bh_enable+0x4/0x30 [ipv6]\n[ 825.617019] softirqs last disabled at (7618): [\u003cffffcd7707aace70\u003e] local_bh_disable+0x4/0x30 [ipv6]\n[ 825.617586] ---[ end trace 0000000000000000 ]---\n\nTherefore, deal with the deadlock as suggested by [1], using the\nfunction drm_modeset_backoff().\n\n[1] https://docs.kernel.org/gpu/drm-kms.html?highlight=kms#kms-locking"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:26.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/41286a53e7f54202fd277cd516724de3ab7497c7"
},
{
"url": "https://git.kernel.org/stable/c/f483eda89a2e717daa7b15c8ca228a209f65617b"
},
{
"url": "https://git.kernel.org/stable/c/479d4f0be4237ba33bc9432787aeb62c90e30f95"
}
],
"title": "drm/vc4: drop all currently held locks if deadlock happens",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53455",
"datePublished": "2025-10-01T11:42:26.791Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:26.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53495 (GCVE-0-2023-53495)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
rules is allocated in ethtool_get_rxnfc and the size is determined by
rule_cnt from user space. So rule_cnt needs to be check before using
rules to avoid OOB writing or NULL pointer dereference.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba6673824efa3dc198b04a54e69dce480066d7d9",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "61054a8ddb176b155a8f2bacdfefb3727187f5d9",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "5bb09dddc724c5f7c4dc6dd3bfebd685eecd93e8",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "349638f7e5d3c7d328565587bb7b0454bbee02e2",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "625b70d31dd4df4b96b3ddcbe251debb33bd67f5",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "51fe0a470543f345e3c62b6798929de3ddcedc1d",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()\n\nrules is allocated in ethtool_get_rxnfc and the size is determined by\nrule_cnt from user space. So rule_cnt needs to be check before using\nrules to avoid OOB writing or NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:46.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba6673824efa3dc198b04a54e69dce480066d7d9"
},
{
"url": "https://git.kernel.org/stable/c/61054a8ddb176b155a8f2bacdfefb3727187f5d9"
},
{
"url": "https://git.kernel.org/stable/c/5bb09dddc724c5f7c4dc6dd3bfebd685eecd93e8"
},
{
"url": "https://git.kernel.org/stable/c/349638f7e5d3c7d328565587bb7b0454bbee02e2"
},
{
"url": "https://git.kernel.org/stable/c/625b70d31dd4df4b96b3ddcbe251debb33bd67f5"
},
{
"url": "https://git.kernel.org/stable/c/51fe0a470543f345e3c62b6798929de3ddcedc1d"
}
],
"title": "net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53495",
"datePublished": "2025-10-01T11:45:46.877Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:46.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53492 (GCVE-0-2023-53492)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: do not ignore genmask when looking up chain by id
When adding a rule to a chain referring to its ID, if that chain had been
deleted on the same batch, the rule might end up referring to a deleted
chain.
This will lead to a WARNING like following:
[ 33.098431] ------------[ cut here ]------------
[ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260
[ 33.099217] Modules linked in:
[ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409
[ 33.099726] Workqueue: events nf_tables_trans_destroy_work
[ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260
[ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7
[ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202
[ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000
[ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000
[ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500
[ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10
[ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000
[ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0
[ 33.104872] PKRU: 55555554
[ 33.104999] Call Trace:
[ 33.105113] <TASK>
[ 33.105214] ? show_regs+0x72/0x90
[ 33.105371] ? __warn+0xa5/0x210
[ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260
[ 33.105732] ? report_bug+0x1f2/0x200
[ 33.105902] ? handle_bug+0x46/0x90
[ 33.106546] ? exc_invalid_op+0x19/0x50
[ 33.106762] ? asm_exc_invalid_op+0x1b/0x20
[ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260
[ 33.107249] ? nf_tables_chain_destroy+0x30/0x260
[ 33.107506] nf_tables_trans_destroy_work+0x669/0x680
[ 33.107782] ? mark_held_locks+0x28/0xa0
[ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10
[ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70
[ 33.108538] process_one_work+0x68c/0xb70
[ 33.108755] ? lock_acquire+0x17f/0x420
[ 33.108977] ? __pfx_process_one_work+0x10/0x10
[ 33.109218] ? do_raw_spin_lock+0x128/0x1d0
[ 33.109435] ? _raw_spin_lock_irq+0x71/0x80
[ 33.109634] worker_thread+0x2bd/0x700
[ 33.109817] ? __pfx_worker_thread+0x10/0x10
[ 33.110254] kthread+0x18b/0x1d0
[ 33.110410] ? __pfx_kthread+0x10/0x10
[ 33.110581] ret_from_fork+0x29/0x50
[ 33.110757] </TASK>
[ 33.110866] irq event stamp: 1651
[ 33.111017] hardirqs last enabled at (1659): [<ffffffffa206a209>] __up_console_sem+0x79/0xa0
[ 33.111379] hardirqs last disabled at (1666): [<ffffffffa206a1ee>] __up_console_sem+0x5e/0xa0
[ 33.111740] softirqs last enabled at (1616): [<ffffffffa1f5d40e>] __irq_exit_rcu+0x9e/0xe0
[ 33.112094] softirqs last disabled at (1367): [<ffffffffa1f5d40e>] __irq_exit_rcu+0x9e/0xe0
[ 33.112453] ---[ end trace 0000000000000000 ]---
This is due to the nft_chain_lookup_byid ignoring the genmask. After this
change, adding the new rule will fail as it will not find the chain.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 837830a4b439bfeb86c70b0115c280377c84714b Version: 837830a4b439bfeb86c70b0115c280377c84714b Version: 837830a4b439bfeb86c70b0115c280377c84714b Version: 837830a4b439bfeb86c70b0115c280377c84714b Version: 837830a4b439bfeb86c70b0115c280377c84714b |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ae2e501331aaa506eaf760339bb2f43e5769395",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
},
{
"lessThan": "041e2ac88caef286b39064e83e825e3f53113d36",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
},
{
"lessThan": "fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
},
{
"lessThan": "5e5e967e8505fbdabfb6497367ec1b808cadc356",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
},
{
"lessThan": "515ad530795c118f012539ed76d02bacfd426d89",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not ignore genmask when looking up chain by id\n\nWhen adding a rule to a chain referring to its ID, if that chain had been\ndeleted on the same batch, the rule might end up referring to a deleted\nchain.\n\nThis will lead to a WARNING like following:\n\n[ 33.098431] ------------[ cut here ]------------\n[ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260\n[ 33.099217] Modules linked in:\n[ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409\n[ 33.099726] Workqueue: events nf_tables_trans_destroy_work\n[ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260\n[ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc \u003c0f\u003e 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7\n[ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202\n[ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000\n[ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000\n[ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500\n[ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10\n[ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000\n[ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0\n[ 33.104872] PKRU: 55555554\n[ 33.104999] Call Trace:\n[ 33.105113] \u003cTASK\u003e\n[ 33.105214] ? show_regs+0x72/0x90\n[ 33.105371] ? __warn+0xa5/0x210\n[ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260\n[ 33.105732] ? report_bug+0x1f2/0x200\n[ 33.105902] ? handle_bug+0x46/0x90\n[ 33.106546] ? exc_invalid_op+0x19/0x50\n[ 33.106762] ? asm_exc_invalid_op+0x1b/0x20\n[ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260\n[ 33.107249] ? nf_tables_chain_destroy+0x30/0x260\n[ 33.107506] nf_tables_trans_destroy_work+0x669/0x680\n[ 33.107782] ? mark_held_locks+0x28/0xa0\n[ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10\n[ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70\n[ 33.108538] process_one_work+0x68c/0xb70\n[ 33.108755] ? lock_acquire+0x17f/0x420\n[ 33.108977] ? __pfx_process_one_work+0x10/0x10\n[ 33.109218] ? do_raw_spin_lock+0x128/0x1d0\n[ 33.109435] ? _raw_spin_lock_irq+0x71/0x80\n[ 33.109634] worker_thread+0x2bd/0x700\n[ 33.109817] ? __pfx_worker_thread+0x10/0x10\n[ 33.110254] kthread+0x18b/0x1d0\n[ 33.110410] ? __pfx_kthread+0x10/0x10\n[ 33.110581] ret_from_fork+0x29/0x50\n[ 33.110757] \u003c/TASK\u003e\n[ 33.110866] irq event stamp: 1651\n[ 33.111017] hardirqs last enabled at (1659): [\u003cffffffffa206a209\u003e] __up_console_sem+0x79/0xa0\n[ 33.111379] hardirqs last disabled at (1666): [\u003cffffffffa206a1ee\u003e] __up_console_sem+0x5e/0xa0\n[ 33.111740] softirqs last enabled at (1616): [\u003cffffffffa1f5d40e\u003e] __irq_exit_rcu+0x9e/0xe0\n[ 33.112094] softirqs last disabled at (1367): [\u003cffffffffa1f5d40e\u003e] __irq_exit_rcu+0x9e/0xe0\n[ 33.112453] ---[ end trace 0000000000000000 ]---\n\nThis is due to the nft_chain_lookup_byid ignoring the genmask. After this\nchange, adding the new rule will fail as it will not find the chain."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:44.019Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ae2e501331aaa506eaf760339bb2f43e5769395"
},
{
"url": "https://git.kernel.org/stable/c/041e2ac88caef286b39064e83e825e3f53113d36"
},
{
"url": "https://git.kernel.org/stable/c/fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49"
},
{
"url": "https://git.kernel.org/stable/c/5e5e967e8505fbdabfb6497367ec1b808cadc356"
},
{
"url": "https://git.kernel.org/stable/c/515ad530795c118f012539ed76d02bacfd426d89"
}
],
"title": "netfilter: nf_tables: do not ignore genmask when looking up chain by id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53492",
"datePublished": "2025-10-01T11:45:44.019Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:44.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53516 (GCVE-0-2023-53516)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF
The previous commit 954d1fa1ac93 ("macvlan: Add netlink attribute for
broadcast cutoff") added one additional attribute named
IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff.
However, it forgot to describe the nla_policy at macvlan_policy
(drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer
can be faked as empty (0 bytes) by a malicious user, which could leads
to OOB in heap just like CVE-2023-3773.
To fix it, this commit just completes the nla_policy description for
IFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the
potential OOB read.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79f44709aa7a744fbfbadd4aef678443290c6991",
"status": "affected",
"version": "954d1fa1ac93aa8a66f7d9a9ba545cf7f020d348",
"versionType": "git"
},
{
"lessThan": "55cef78c244d0d076f5a75a35530ca63c92f4426",
"status": "affected",
"version": "954d1fa1ac93aa8a66f7d9a9ba545cf7f020d348",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF\n\nThe previous commit 954d1fa1ac93 (\"macvlan: Add netlink attribute for\nbroadcast cutoff\") added one additional attribute named\nIFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff.\n\nHowever, it forgot to describe the nla_policy at macvlan_policy\n(drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer\ncan be faked as empty (0 bytes) by a malicious user, which could leads\nto OOB in heap just like CVE-2023-3773.\n\nTo fix it, this commit just completes the nla_policy description for\nIFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the\npotential OOB read."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:03.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79f44709aa7a744fbfbadd4aef678443290c6991"
},
{
"url": "https://git.kernel.org/stable/c/55cef78c244d0d076f5a75a35530ca63c92f4426"
}
],
"title": "macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53516",
"datePublished": "2025-10-01T11:46:03.878Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:03.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50434 (GCVE-0-2022-50434)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix possible memleak when register 'hctx' failed
There's issue as follows when do fault injection test:
unreferenced object 0xffff888132a9f400 (size 512):
comm "insmod", pid 308021, jiffies 4324277909 (age 509.733s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2....
08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............
backtrace:
[<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0
[<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0
[<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230
[<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910
[<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0
[<00000000a2a34657>] 0xffffffffa2ad310f
[<00000000b173f718>] 0xffffffffa2af824a
[<0000000095a1dabb>] do_one_initcall+0x87/0x2a0
[<00000000f32fdf93>] do_init_module+0xdf/0x320
[<00000000cbe8541e>] load_module+0x3006/0x3390
[<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0
[<00000000a1a29ae8>] do_syscall_64+0x35/0x80
[<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fault injection context as follows:
kobject_add
blk_mq_register_hctx
blk_mq_sysfs_register
blk_register_queue
device_add_disk
null_add_dev.part.0 [null_blk]
As 'blk_mq_register_hctx' may already add some objects when failed halfway,
but there isn't do fallback, caller don't know which objects add failed.
To solve above issue just do fallback when add objects failed halfway in
'blk_mq_register_hctx'.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "654870789c3c1b9763316ef1c71d7a449127b175",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cb186eb47fb9dd327bdefa15f0c5fc55c53a40dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02bc8bc6eab03c84373281b85cb6e98747172ff7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "87fd18016a47ea8ae12641377a390172c4aa97a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e8022da1fa2fdf2fa204b445dd3354e7a66d085a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eff45bfbc25a2509a6362dea6e699e14083c693c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b7fafa5f39b15c3a6ca3b95e534d05d6904cc95",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33e8a3f61814ea30615d0fafaf50477975d6c1ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b7a21c57b14fbcd0e1729150189e5933f5088e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix possible memleak when register \u0027hctx\u0027 failed\n\nThere\u0027s issue as follows when do fault injection test:\nunreferenced object 0xffff888132a9f400 (size 512):\n comm \"insmod\", pid 308021, jiffies 4324277909 (age 509.733s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2....\n 08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............\n backtrace:\n [\u003c00000000e8952bb4\u003e] kmalloc_node_trace+0x22/0xa0\n [\u003c00000000f9980e0f\u003e] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0\n [\u003c000000002e719efa\u003e] blk_mq_realloc_hw_ctxs+0x1e6/0x230\n [\u003c000000004f1fda40\u003e] blk_mq_init_allocated_queue+0x27e/0x910\n [\u003c00000000287123ec\u003e] __blk_mq_alloc_disk+0x67/0xf0\n [\u003c00000000a2a34657\u003e] 0xffffffffa2ad310f\n [\u003c00000000b173f718\u003e] 0xffffffffa2af824a\n [\u003c0000000095a1dabb\u003e] do_one_initcall+0x87/0x2a0\n [\u003c00000000f32fdf93\u003e] do_init_module+0xdf/0x320\n [\u003c00000000cbe8541e\u003e] load_module+0x3006/0x3390\n [\u003c0000000069ed1bdb\u003e] __do_sys_finit_module+0x113/0x1b0\n [\u003c00000000a1a29ae8\u003e] do_syscall_64+0x35/0x80\n [\u003c000000009cd878b0\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFault injection context as follows:\n kobject_add\n blk_mq_register_hctx\n blk_mq_sysfs_register\n blk_register_queue\n device_add_disk\n null_add_dev.part.0 [null_blk]\n\nAs \u0027blk_mq_register_hctx\u0027 may already add some objects when failed halfway,\nbut there isn\u0027t do fallback, caller don\u0027t know which objects add failed.\nTo solve above issue just do fallback when add objects failed halfway in\n\u0027blk_mq_register_hctx\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:12.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/654870789c3c1b9763316ef1c71d7a449127b175"
},
{
"url": "https://git.kernel.org/stable/c/cb186eb47fb9dd327bdefa15f0c5fc55c53a40dd"
},
{
"url": "https://git.kernel.org/stable/c/02bc8bc6eab03c84373281b85cb6e98747172ff7"
},
{
"url": "https://git.kernel.org/stable/c/87fd18016a47ea8ae12641377a390172c4aa97a7"
},
{
"url": "https://git.kernel.org/stable/c/e8022da1fa2fdf2fa204b445dd3354e7a66d085a"
},
{
"url": "https://git.kernel.org/stable/c/eff45bfbc25a2509a6362dea6e699e14083c693c"
},
{
"url": "https://git.kernel.org/stable/c/4b7fafa5f39b15c3a6ca3b95e534d05d6904cc95"
},
{
"url": "https://git.kernel.org/stable/c/33e8a3f61814ea30615d0fafaf50477975d6c1ca"
},
{
"url": "https://git.kernel.org/stable/c/4b7a21c57b14fbcd0e1729150189e5933f5088e9"
}
],
"title": "blk-mq: fix possible memleak when register \u0027hctx\u0027 failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50434",
"datePublished": "2025-10-01T11:42:12.160Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:12.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53454 (GCVE-0-2023-53454)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Correct devm device reference for hidinput input_dev name
Reference the HID device rather than the input device for the devm
allocation of the input_dev name. Referencing the input_dev would lead to a
use-after-free when the input_dev was unregistered and subsequently fires a
uevent that depends on the name. At the point of firing the uevent, the
name would be freed by devres management.
Use devm_kasprintf to simplify the logic for allocating memory and
formatting the input_dev name string.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac0d389402a6ff9ad92cea02c2d8c711483b91ab",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "39c70c19456e50dcb3abfe53539220dff0490f1d",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "df7ca43fe090e1a56c216c8ebc106ef5fd49afc6",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "15ec7cb55e7d88755aa01d44a7a1015a42bfce86",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "dde88ab4e45beb60b217026207aa9c14c88d71ab",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "2763732ec1e68910719c75b6b896e11b6d3d622b",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "1d7833db9fd118415dace2ca157bfa603dec9c8c",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "b70ac7849248ec8128fa12f86e3655ba38838f29",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "4794394635293a3e74591351fff469cea7ad15a2",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Correct devm device reference for hidinput input_dev name\n\nReference the HID device rather than the input device for the devm\nallocation of the input_dev name. Referencing the input_dev would lead to a\nuse-after-free when the input_dev was unregistered and subsequently fires a\nuevent that depends on the name. At the point of firing the uevent, the\nname would be freed by devres management.\n\nUse devm_kasprintf to simplify the logic for allocating memory and\nformatting the input_dev name string."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:25.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac0d389402a6ff9ad92cea02c2d8c711483b91ab"
},
{
"url": "https://git.kernel.org/stable/c/39c70c19456e50dcb3abfe53539220dff0490f1d"
},
{
"url": "https://git.kernel.org/stable/c/df7ca43fe090e1a56c216c8ebc106ef5fd49afc6"
},
{
"url": "https://git.kernel.org/stable/c/15ec7cb55e7d88755aa01d44a7a1015a42bfce86"
},
{
"url": "https://git.kernel.org/stable/c/dde88ab4e45beb60b217026207aa9c14c88d71ab"
},
{
"url": "https://git.kernel.org/stable/c/2763732ec1e68910719c75b6b896e11b6d3d622b"
},
{
"url": "https://git.kernel.org/stable/c/1d7833db9fd118415dace2ca157bfa603dec9c8c"
},
{
"url": "https://git.kernel.org/stable/c/b70ac7849248ec8128fa12f86e3655ba38838f29"
},
{
"url": "https://git.kernel.org/stable/c/4794394635293a3e74591351fff469cea7ad15a2"
}
],
"title": "HID: multitouch: Correct devm device reference for hidinput input_dev name",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53454",
"datePublished": "2025-10-01T11:42:25.760Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:25.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50420 (GCVE-0-2022-50420)
Vulnerability from cvelistv5
Published
2025-10-01 11:41
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/hpre - fix resource leak in remove process
In hpre_remove(), when the disable operation of qm sriov failed,
the following logic should continue to be executed to release the
remaining resources that have been allocated, instead of returning
directly, otherwise there will be resource leakage.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/hpre/hpre_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b3e3ecdb402ff1053ee25b598ff21b9ddf4384f",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "4e0de941d252d4e7c985981e78480c8d6f020b64",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "cb873c93a7ad27681920bf062ef052fca1e8d5b1",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/hpre/hpre_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/hpre - fix resource leak in remove process\n\nIn hpre_remove(), when the disable operation of qm sriov failed,\nthe following logic should continue to be executed to release the\nremaining resources that have been allocated, instead of returning\ndirectly, otherwise there will be resource leakage."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:14.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b3e3ecdb402ff1053ee25b598ff21b9ddf4384f"
},
{
"url": "https://git.kernel.org/stable/c/4e0de941d252d4e7c985981e78480c8d6f020b64"
},
{
"url": "https://git.kernel.org/stable/c/cb873c93a7ad27681920bf062ef052fca1e8d5b1"
},
{
"url": "https://git.kernel.org/stable/c/45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c"
}
],
"title": "crypto: hisilicon/hpre - fix resource leak in remove process",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50420",
"datePublished": "2025-10-01T11:41:53.287Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-02T07:04:14.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50440 (GCVE-0-2022-50440)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Validate the box size for the snooped cursor
Invalid userspace dma surface copies could potentially overflow
the memcpy from the surface to the snooped image leading to crashes.
To fix it the dimensions of the copybox have to be validated
against the expected size of the snooped cursor.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2ac863719e518ae1a8f328849e64ea26a222f079 Version: 2ac863719e518ae1a8f328849e64ea26a222f079 Version: 2ac863719e518ae1a8f328849e64ea26a222f079 Version: 2ac863719e518ae1a8f328849e64ea26a222f079 Version: 2ac863719e518ae1a8f328849e64ea26a222f079 Version: 2ac863719e518ae1a8f328849e64ea26a222f079 Version: 2ac863719e518ae1a8f328849e64ea26a222f079 Version: 2ac863719e518ae1a8f328849e64ea26a222f079 Version: 2ac863719e518ae1a8f328849e64ea26a222f079 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee8d31836cbe7c26e207bfa0a4a726f0a25cfcf6",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
},
{
"lessThan": "50d177f90b63ea4138560e500d92be5e4c928186",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
},
{
"lessThan": "6b4e70a428b5a11f56db94047b68e144529fe512",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
},
{
"lessThan": "94b283341f9f3f0ed56a360533766377a01540e0",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
},
{
"lessThan": "439cbbc1519547f9a7b483f0de33b556ebfec901",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
},
{
"lessThan": "6948e570f54f2044dd4da444b10471373a047eeb",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
},
{
"lessThan": "4d54d11b49860686331c58a00f733b16a93edfc4",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
},
{
"lessThan": "622d527decaac0eb65512acada935a0fdc1d0202",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
},
{
"lessThan": "4cf949c7fafe21e085a4ee386bb2dade9067316e",
"status": "affected",
"version": "2ac863719e518ae1a8f328849e64ea26a222f079",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate the box size for the snooped cursor\n\nInvalid userspace dma surface copies could potentially overflow\nthe memcpy from the surface to the snooped image leading to crashes.\nTo fix it the dimensions of the copybox have to be validated\nagainst the expected size of the snooped cursor."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:16.567Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee8d31836cbe7c26e207bfa0a4a726f0a25cfcf6"
},
{
"url": "https://git.kernel.org/stable/c/50d177f90b63ea4138560e500d92be5e4c928186"
},
{
"url": "https://git.kernel.org/stable/c/6b4e70a428b5a11f56db94047b68e144529fe512"
},
{
"url": "https://git.kernel.org/stable/c/94b283341f9f3f0ed56a360533766377a01540e0"
},
{
"url": "https://git.kernel.org/stable/c/439cbbc1519547f9a7b483f0de33b556ebfec901"
},
{
"url": "https://git.kernel.org/stable/c/6948e570f54f2044dd4da444b10471373a047eeb"
},
{
"url": "https://git.kernel.org/stable/c/4d54d11b49860686331c58a00f733b16a93edfc4"
},
{
"url": "https://git.kernel.org/stable/c/622d527decaac0eb65512acada935a0fdc1d0202"
},
{
"url": "https://git.kernel.org/stable/c/4cf949c7fafe21e085a4ee386bb2dade9067316e"
}
],
"title": "drm/vmwgfx: Validate the box size for the snooped cursor",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50440",
"datePublished": "2025-10-01T11:42:16.567Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:16.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50465 (GCVE-0-2022-50465)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix leaking uninitialized memory in fast-commit journal
When space at the end of fast-commit journal blocks is unused, make sure
to zero it out so that uninitialized memory is not leaked to disk.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e Version: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e Version: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e Version: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e Version: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8b7922374b00a44137e5bcdd46ef86c8b065f27",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "871800770d7f2f952c7249ad52485c3564dab44e",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "d9ba03eb03dc2dccb5450de388ea46bdcaaf8348",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "7c1fb65e8ce85c281d2cba9c236f9edbbc4eaca6",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "594bc43b410316d70bb42aeff168837888d96810",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix leaking uninitialized memory in fast-commit journal\n\nWhen space at the end of fast-commit journal blocks is unused, make sure\nto zero it out so that uninitialized memory is not leaked to disk."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:36.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8b7922374b00a44137e5bcdd46ef86c8b065f27"
},
{
"url": "https://git.kernel.org/stable/c/871800770d7f2f952c7249ad52485c3564dab44e"
},
{
"url": "https://git.kernel.org/stable/c/d9ba03eb03dc2dccb5450de388ea46bdcaaf8348"
},
{
"url": "https://git.kernel.org/stable/c/7c1fb65e8ce85c281d2cba9c236f9edbbc4eaca6"
},
{
"url": "https://git.kernel.org/stable/c/594bc43b410316d70bb42aeff168837888d96810"
}
],
"title": "ext4: fix leaking uninitialized memory in fast-commit journal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50465",
"datePublished": "2025-10-01T11:45:36.647Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:36.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50422 (GCVE-0-2022-50422)
Vulnerability from cvelistv5
Published
2025-10-01 11:41
Modified
2025-10-01 11:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
When executing SMP task failed, the smp_execute_task_sg() calls del_timer()
to delete "slow_task->timer". However, if the timer handler
sas_task_internal_timedout() is running, the del_timer() in
smp_execute_task_sg() will not stop it and a UAF will happen. The process
is shown below:
(thread 1) | (thread 2)
smp_execute_task_sg() | sas_task_internal_timedout()
... |
del_timer() |
... | ...
sas_free_task(task) |
kfree(task->slow_task) //FREE|
| task->slow_task->... //USE
Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure
the timer handler have finished before the "task->slow_task" is
deallocated.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libsas/sas_expander.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "a9e5176ead6de64f572ad5c87a72825d9d3c82ae",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "e45a1516d2933703a4823d9db71e17c3abeba24f",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "f7a785177611ffc97d645fcbc196e6de6ad2421d",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "2e12ce270f0d926085c1209cc90397e307deef97",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "46ba53c30666717cb06c2b3c5d896301cd00d0c0",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libsas/sas_expander.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libsas: Fix use-after-free bug in smp_execute_task_sg()\n\nWhen executing SMP task failed, the smp_execute_task_sg() calls del_timer()\nto delete \"slow_task-\u003etimer\". However, if the timer handler\nsas_task_internal_timedout() is running, the del_timer() in\nsmp_execute_task_sg() will not stop it and a UAF will happen. The process\nis shown below:\n\n (thread 1) | (thread 2)\nsmp_execute_task_sg() | sas_task_internal_timedout()\n ... |\n del_timer() |\n ... | ...\n sas_free_task(task) |\n kfree(task-\u003eslow_task) //FREE|\n | task-\u003eslow_task-\u003e... //USE\n\nFix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure\nthe timer handler have finished before the \"task-\u003eslow_task\" is\ndeallocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:55.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe"
},
{
"url": "https://git.kernel.org/stable/c/a9e5176ead6de64f572ad5c87a72825d9d3c82ae"
},
{
"url": "https://git.kernel.org/stable/c/e45a1516d2933703a4823d9db71e17c3abeba24f"
},
{
"url": "https://git.kernel.org/stable/c/f7a785177611ffc97d645fcbc196e6de6ad2421d"
},
{
"url": "https://git.kernel.org/stable/c/2e12ce270f0d926085c1209cc90397e307deef97"
},
{
"url": "https://git.kernel.org/stable/c/46ba53c30666717cb06c2b3c5d896301cd00d0c0"
}
],
"title": "scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50422",
"datePublished": "2025-10-01T11:41:55.147Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:55.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50464 (GCVE-0-2022-50464)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2()
As comment of pci_get_device() says, it returns a pci_device with its
refcount increased. We need to call pci_dev_put() to decrease the
refcount. Save the return value of pci_get_device() and call
pci_dev_put() to decrease the refcount.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7915/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8abc6579667129afd13ff2ccb0319ba3f46e6995",
"status": "affected",
"version": "9093cfff72e3e55b703ed38fa1af87c204d89cf1",
"versionType": "git"
},
{
"lessThan": "2d4b9c7e81f3a4df27749ebecb426b145e68be2a",
"status": "affected",
"version": "9093cfff72e3e55b703ed38fa1af87c204d89cf1",
"versionType": "git"
},
{
"lessThan": "5938196cc188ba4323bc6357f5ac55127d715888",
"status": "affected",
"version": "9093cfff72e3e55b703ed38fa1af87c204d89cf1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7915/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2()\n\nAs comment of pci_get_device() says, it returns a pci_device with its\nrefcount increased. We need to call pci_dev_put() to decrease the\nrefcount. Save the return value of pci_get_device() and call\npci_dev_put() to decrease the refcount."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:35.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8abc6579667129afd13ff2ccb0319ba3f46e6995"
},
{
"url": "https://git.kernel.org/stable/c/2d4b9c7e81f3a4df27749ebecb426b145e68be2a"
},
{
"url": "https://git.kernel.org/stable/c/5938196cc188ba4323bc6357f5ac55127d715888"
}
],
"title": "mt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50464",
"datePublished": "2025-10-01T11:45:35.878Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:35.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3773 (GCVE-0-2023-3773)
Vulnerability from cvelistv5
Published
2023-07-25 15:47
Modified
2025-09-25 02:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:6583 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-3773 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2218944 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat Enterprise Linux 9 |
Unaffected: 0:5.14.0-362.8.1.el9_3 < * cpe:/a:redhat:enterprise_linux:9::nfv cpe:/a:redhat:enterprise_linux:9::realtime cpe:/a:redhat:enterprise_linux:9::crb cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::appstream |
||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:49.757Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3773"
},
{
"name": "RHBZ#2218944",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218944"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5492"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:33:27.598158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:47:25.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Lin Ma (ZJU \u0026 Ant Security Light-Year Lab) for reporting this issue."
}
],
"datePublic": "2023-07-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T02:25:44.803Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3773"
},
{
"name": "RHBZ#2218944",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218944"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-29T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-07-23T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: xfrm: out-of-bounds read of xfrma_mtimer_thresh nlattr",
"x_redhatCweChain": "CWE-125: Out-of-bounds Read"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-3773",
"datePublished": "2023-07-25T15:47:40.391Z",
"dateReserved": "2023-07-19T13:55:13.694Z",
"dateUpdated": "2025-09-25T02:25:44.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53508 (GCVE-0-2023-53508)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: fail to start device if queue setup is interrupted
In ublk_ctrl_start_dev(), if wait_for_completion_interruptible() is
interrupted by signal, queues aren't setup successfully yet, so we
have to fail UBLK_CMD_START_DEV, otherwise kernel oops can be triggered.
Reported by German when working on qemu-storage-deamon which requires
single thread ublk daemon.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d5916c439574b18a0734872daa0022b3d6105ad",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "6ab3e7d424cd413d7a5e976c8a30b4ffa84a65dd",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "53e7d08f6d6e214c40db1f51291bb2975c789dc2",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fail to start device if queue setup is interrupted\n\nIn ublk_ctrl_start_dev(), if wait_for_completion_interruptible() is\ninterrupted by signal, queues aren\u0027t setup successfully yet, so we\nhave to fail UBLK_CMD_START_DEV, otherwise kernel oops can be triggered.\n\nReported by German when working on qemu-storage-deamon which requires\nsingle thread ublk daemon."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:58.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d5916c439574b18a0734872daa0022b3d6105ad"
},
{
"url": "https://git.kernel.org/stable/c/6ab3e7d424cd413d7a5e976c8a30b4ffa84a65dd"
},
{
"url": "https://git.kernel.org/stable/c/53e7d08f6d6e214c40db1f51291bb2975c789dc2"
}
],
"title": "ublk: fail to start device if queue setup is interrupted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53508",
"datePublished": "2025-10-01T11:45:58.042Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2025-10-01T11:45:58.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53513 (GCVE-0-2023-53513)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: fix incomplete validation of ioctl arg
We tested and found an alarm caused by nbd_ioctl arg without verification.
The UBSAN warning calltrace like below:
UBSAN: Undefined behaviour in fs/buffer.c:1709:35
signed integer overflow:
-9223372036854775808 - 1 cannot be represented in type 'long long int'
CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78
show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x170/0x1dc lib/dump_stack.c:118
ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161
handle_overflow+0x188/0x1dc lib/ubsan.c:192
__ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206
__block_write_full_page+0x94c/0xa20 fs/buffer.c:1709
block_write_full_page+0x1f0/0x280 fs/buffer.c:2934
blkdev_writepage+0x34/0x40 fs/block_dev.c:607
__writepage+0x68/0xe8 mm/page-writeback.c:2305
write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240
generic_writepages+0xdc/0x148 mm/page-writeback.c:2329
blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114
do_writepages+0xd4/0x250 mm/page-writeback.c:2344
The reason for triggering this warning is __block_write_full_page()
-> i_size_read(inode) - 1 overflow.
inode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize.
We think it is necessary to limit the size of arg to prevent errors.
Moreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int.
Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine),
it will become 1 after the coercion, which will return unexpected results.
Fix it by adding checks to prevent passing in too large numbers.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52851d0c3354b397c11d31dfeb8b2a2fc85a0002",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fab766c8a1aff715bce7075aab40e780266f8e1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffb75ffaa68723276365d0f9d00b03362b750657",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "55793ea54d77719a071b1ccc05a05056e3b5e009",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix incomplete validation of ioctl arg\n\nWe tested and found an alarm caused by nbd_ioctl arg without verification.\nThe UBSAN warning calltrace like below:\n\nUBSAN: Undefined behaviour in fs/buffer.c:1709:35\nsigned integer overflow:\n-9223372036854775808 - 1 cannot be represented in type \u0027long long int\u0027\nCPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78\n show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x170/0x1dc lib/dump_stack.c:118\n ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161\n handle_overflow+0x188/0x1dc lib/ubsan.c:192\n __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206\n __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709\n block_write_full_page+0x1f0/0x280 fs/buffer.c:2934\n blkdev_writepage+0x34/0x40 fs/block_dev.c:607\n __writepage+0x68/0xe8 mm/page-writeback.c:2305\n write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240\n generic_writepages+0xdc/0x148 mm/page-writeback.c:2329\n blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114\n do_writepages+0xd4/0x250 mm/page-writeback.c:2344\n\nThe reason for triggering this warning is __block_write_full_page()\n-\u003e i_size_read(inode) - 1 overflow.\ninode-\u003ei_size is assigned in __nbd_ioctl() -\u003e nbd_set_size() -\u003e bytesize.\nWe think it is necessary to limit the size of arg to prevent errors.\n\nMoreover, __nbd_ioctl() -\u003e nbd_add_socket(), arg will be cast to int.\nAssuming the value of arg is 0x80000000000000001) (on a 64-bit machine),\nit will become 1 after the coercion, which will return unexpected results.\n\nFix it by adding checks to prevent passing in too large numbers."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:01.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52851d0c3354b397c11d31dfeb8b2a2fc85a0002"
},
{
"url": "https://git.kernel.org/stable/c/fab766c8a1aff715bce7075aab40e780266f8e1a"
},
{
"url": "https://git.kernel.org/stable/c/ffb75ffaa68723276365d0f9d00b03362b750657"
},
{
"url": "https://git.kernel.org/stable/c/55793ea54d77719a071b1ccc05a05056e3b5e009"
}
],
"title": "nbd: fix incomplete validation of ioctl arg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53513",
"datePublished": "2025-10-01T11:46:01.717Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:01.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53507 (GCVE-0-2023-53507)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Unregister devlink params in case interface is down
Currently, in case an interface is down, mlx5 driver doesn't
unregister its devlink params, which leads to this WARN[1].
Fix it by unregistering devlink params in that case as well.
[1]
[ 295.244769 ] WARNING: CPU: 15 PID: 1 at net/core/devlink.c:9042 devlink_free+0x174/0x1fc
[ 295.488379 ] CPU: 15 PID: 1 Comm: shutdown Tainted: G S OE 5.15.0-1017.19.3.g0677e61-bluefield #g0677e61
[ 295.509330 ] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.2.0.12761 Jun 6 2023
[ 295.543096 ] pc : devlink_free+0x174/0x1fc
[ 295.551104 ] lr : mlx5_devlink_free+0x18/0x2c [mlx5_core]
[ 295.561816 ] sp : ffff80000809b850
[ 295.711155 ] Call trace:
[ 295.716030 ] devlink_free+0x174/0x1fc
[ 295.723346 ] mlx5_devlink_free+0x18/0x2c [mlx5_core]
[ 295.733351 ] mlx5_sf_dev_remove+0x98/0xb0 [mlx5_core]
[ 295.743534 ] auxiliary_bus_remove+0x2c/0x50
[ 295.751893 ] __device_release_driver+0x19c/0x280
[ 295.761120 ] device_release_driver+0x34/0x50
[ 295.769649 ] bus_remove_device+0xdc/0x170
[ 295.777656 ] device_del+0x17c/0x3a4
[ 295.784620 ] mlx5_sf_dev_remove+0x28/0xf0 [mlx5_core]
[ 295.794800 ] mlx5_sf_dev_table_destroy+0x98/0x110 [mlx5_core]
[ 295.806375 ] mlx5_unload+0x34/0xd0 [mlx5_core]
[ 295.815339 ] mlx5_unload_one+0x70/0xe4 [mlx5_core]
[ 295.824998 ] shutdown+0xb0/0xd8 [mlx5_core]
[ 295.833439 ] pci_device_shutdown+0x3c/0xa0
[ 295.841651 ] device_shutdown+0x170/0x340
[ 295.849486 ] __do_sys_reboot+0x1f4/0x2a0
[ 295.857322 ] __arm64_sys_reboot+0x2c/0x40
[ 295.865329 ] invoke_syscall+0x78/0x100
[ 295.872817 ] el0_svc_common.constprop.0+0x54/0x184
[ 295.882392 ] do_el0_svc+0x30/0xac
[ 295.889008 ] el0_svc+0x48/0x160
[ 295.895278 ] el0t_64_sync_handler+0xa4/0x130
[ 295.903807 ] el0t_64_sync+0x1a4/0x1a8
[ 295.911120 ] ---[ end trace 4f1d2381d00d9dce ]---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "471f59b3455314f0cafacf3096453727876355a9",
"status": "affected",
"version": "fe578cbb2f053f465e19d2671a523dcd01953888",
"versionType": "git"
},
{
"lessThan": "53d737dfd3d7b023fa9fa445ea3f3db0ac9da402",
"status": "affected",
"version": "fe578cbb2f053f465e19d2671a523dcd01953888",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Unregister devlink params in case interface is down\n\nCurrently, in case an interface is down, mlx5 driver doesn\u0027t\nunregister its devlink params, which leads to this WARN[1].\nFix it by unregistering devlink params in that case as well.\n\n[1]\n[ 295.244769 ] WARNING: CPU: 15 PID: 1 at net/core/devlink.c:9042 devlink_free+0x174/0x1fc\n[ 295.488379 ] CPU: 15 PID: 1 Comm: shutdown Tainted: G S OE 5.15.0-1017.19.3.g0677e61-bluefield #g0677e61\n[ 295.509330 ] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.2.0.12761 Jun 6 2023\n[ 295.543096 ] pc : devlink_free+0x174/0x1fc\n[ 295.551104 ] lr : mlx5_devlink_free+0x18/0x2c [mlx5_core]\n[ 295.561816 ] sp : ffff80000809b850\n[ 295.711155 ] Call trace:\n[ 295.716030 ] devlink_free+0x174/0x1fc\n[ 295.723346 ] mlx5_devlink_free+0x18/0x2c [mlx5_core]\n[ 295.733351 ] mlx5_sf_dev_remove+0x98/0xb0 [mlx5_core]\n[ 295.743534 ] auxiliary_bus_remove+0x2c/0x50\n[ 295.751893 ] __device_release_driver+0x19c/0x280\n[ 295.761120 ] device_release_driver+0x34/0x50\n[ 295.769649 ] bus_remove_device+0xdc/0x170\n[ 295.777656 ] device_del+0x17c/0x3a4\n[ 295.784620 ] mlx5_sf_dev_remove+0x28/0xf0 [mlx5_core]\n[ 295.794800 ] mlx5_sf_dev_table_destroy+0x98/0x110 [mlx5_core]\n[ 295.806375 ] mlx5_unload+0x34/0xd0 [mlx5_core]\n[ 295.815339 ] mlx5_unload_one+0x70/0xe4 [mlx5_core]\n[ 295.824998 ] shutdown+0xb0/0xd8 [mlx5_core]\n[ 295.833439 ] pci_device_shutdown+0x3c/0xa0\n[ 295.841651 ] device_shutdown+0x170/0x340\n[ 295.849486 ] __do_sys_reboot+0x1f4/0x2a0\n[ 295.857322 ] __arm64_sys_reboot+0x2c/0x40\n[ 295.865329 ] invoke_syscall+0x78/0x100\n[ 295.872817 ] el0_svc_common.constprop.0+0x54/0x184\n[ 295.882392 ] do_el0_svc+0x30/0xac\n[ 295.889008 ] el0_svc+0x48/0x160\n[ 295.895278 ] el0t_64_sync_handler+0xa4/0x130\n[ 295.903807 ] el0t_64_sync+0x1a4/0x1a8\n[ 295.911120 ] ---[ end trace 4f1d2381d00d9dce ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:57.310Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/471f59b3455314f0cafacf3096453727876355a9"
},
{
"url": "https://git.kernel.org/stable/c/53d737dfd3d7b023fa9fa445ea3f3db0ac9da402"
}
],
"title": "net/mlx5: Unregister devlink params in case interface is down",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53507",
"datePublished": "2025-10-01T11:45:57.310Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2025-10-01T11:45:57.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53459 (GCVE-0-2023-53459)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: mcp-2221: prevent UAF in delayed work
If the device is plugged/unplugged without giving time for mcp_init_work()
to complete, we might kick in the devm free code path and thus have
unavailable struct mcp_2221 while in delayed work.
Canceling the delayed_work item is enough to solve the issue, because
cancel_delayed_work_sync will prevent the work item to requeue itself.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-mcp2221.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5dc297652dbc557eba7ca7d6a4c5f1940dffffb1",
"status": "affected",
"version": "960f9df7c620ecb6030aff1d9a6c3d67598b8290",
"versionType": "git"
},
{
"lessThan": "47e91fdfa511139f2549687edb0d8649b123227b",
"status": "affected",
"version": "960f9df7c620ecb6030aff1d9a6c3d67598b8290",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-mcp2221.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.1",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: mcp-2221: prevent UAF in delayed work\n\nIf the device is plugged/unplugged without giving time for mcp_init_work()\nto complete, we might kick in the devm free code path and thus have\nunavailable struct mcp_2221 while in delayed work.\n\nCanceling the delayed_work item is enough to solve the issue, because\ncancel_delayed_work_sync will prevent the work item to requeue itself."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:30.648Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5dc297652dbc557eba7ca7d6a4c5f1940dffffb1"
},
{
"url": "https://git.kernel.org/stable/c/47e91fdfa511139f2549687edb0d8649b123227b"
}
],
"title": "HID: mcp-2221: prevent UAF in delayed work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53459",
"datePublished": "2025-10-01T11:42:30.648Z",
"dateReserved": "2025-10-01T11:39:39.399Z",
"dateUpdated": "2025-10-01T11:42:30.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53464 (GCVE-0-2023-53464)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Check that sock is valid before iscsi_set_param()
The validity of sock should be checked before assignment to avoid incorrect
values. Commit 57569c37f0ad ("scsi: iscsi: iscsi_tcp: Fix null-ptr-deref
while calling getpeername()") introduced this change which may lead to
inconsistent values of tcp_sw_conn->sendpage and conn->datadgst_en.
Fix the issue by moving the position of the assignment.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 884a788f065578bb640382279a83d1df433b13e6 Version: a26b0658751bb0a3b28386fca715333b104d32a2 Version: 57569c37f0add1b6489e1a1563c71519daf732cf Version: 57569c37f0add1b6489e1a1563c71519daf732cf Version: 57569c37f0add1b6489e1a1563c71519daf732cf Version: 897dbbc57d71e8a34ec1af8e573a142de457da38 Version: 0a0b861fce2657ba08ec356a74346b37ca4b2008 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "499757ad3332e2527254f9ab68dec1da087b1d96",
"status": "affected",
"version": "884a788f065578bb640382279a83d1df433b13e6",
"versionType": "git"
},
{
"lessThan": "5e5c5f472972c4bc9430adc08b36763a0fa5b9f7",
"status": "affected",
"version": "a26b0658751bb0a3b28386fca715333b104d32a2",
"versionType": "git"
},
{
"lessThan": "6e06a68fbbfcd8576eee8f7139fa2b13c9b72e91",
"status": "affected",
"version": "57569c37f0add1b6489e1a1563c71519daf732cf",
"versionType": "git"
},
{
"lessThan": "b287e21e73ec23f3788fbe40037c42dbe6e9a9a9",
"status": "affected",
"version": "57569c37f0add1b6489e1a1563c71519daf732cf",
"versionType": "git"
},
{
"lessThan": "48b19b79cfa37b1e50da3b5a8af529f994c08901",
"status": "affected",
"version": "57569c37f0add1b6489e1a1563c71519daf732cf",
"versionType": "git"
},
{
"status": "affected",
"version": "897dbbc57d71e8a34ec1af8e573a142de457da38",
"versionType": "git"
},
{
"status": "affected",
"version": "0a0b861fce2657ba08ec356a74346b37ca4b2008",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Check that sock is valid before iscsi_set_param()\n\nThe validity of sock should be checked before assignment to avoid incorrect\nvalues. Commit 57569c37f0ad (\"scsi: iscsi: iscsi_tcp: Fix null-ptr-deref\nwhile calling getpeername()\") introduced this change which may lead to\ninconsistent values of tcp_sw_conn-\u003esendpage and conn-\u003edatadgst_en.\n\nFix the issue by moving the position of the assignment."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:35.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/499757ad3332e2527254f9ab68dec1da087b1d96"
},
{
"url": "https://git.kernel.org/stable/c/5e5c5f472972c4bc9430adc08b36763a0fa5b9f7"
},
{
"url": "https://git.kernel.org/stable/c/6e06a68fbbfcd8576eee8f7139fa2b13c9b72e91"
},
{
"url": "https://git.kernel.org/stable/c/b287e21e73ec23f3788fbe40037c42dbe6e9a9a9"
},
{
"url": "https://git.kernel.org/stable/c/48b19b79cfa37b1e50da3b5a8af529f994c08901"
}
],
"title": "scsi: iscsi_tcp: Check that sock is valid before iscsi_set_param()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53464",
"datePublished": "2025-10-01T11:42:35.186Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:35.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53519 (GCVE-0-2023-53519)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-mem2mem: add lock to protect parameter num_rdy
Getting below error when using KCSAN to check the driver. Adding lock to
protect parameter num_rdy when getting the value with function:
v4l2_m2m_num_src_bufs_ready/v4l2_m2m_num_dst_bufs_ready.
kworker/u16:3: [name:report&]BUG: KCSAN: data-race in v4l2_m2m_buf_queue
kworker/u16:3: [name:report&]
kworker/u16:3: [name:report&]read-write to 0xffffff8105f35b94 of 1 bytes by task 20865 on cpu 7:
kworker/u16:3: v4l2_m2m_buf_queue+0xd8/0x10c
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-mem2mem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "690dd4780b3f4d755e4e7883e8c3d1b5052f6bf2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fc7f87725805197388ba749a1801df33000fa50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef009fe2010ea2a3a7045ecb72729cf366e0967b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e52de26cb37459b16213438a2c82feb155dd3bbd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1676748aa29099fc0abd71e0fb092e76e835f25c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c71aa5f1cf961264690f2560503ea396b6e3c680",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e01ea1c4191ee08440b5f86db98dff695e9cedf9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "56b5c3e67b0f9af3f45cf393be048ee8d8a92694",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-mem2mem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-mem2mem: add lock to protect parameter num_rdy\n\nGetting below error when using KCSAN to check the driver. Adding lock to\nprotect parameter num_rdy when getting the value with function:\nv4l2_m2m_num_src_bufs_ready/v4l2_m2m_num_dst_bufs_ready.\n\nkworker/u16:3: [name:report\u0026]BUG: KCSAN: data-race in v4l2_m2m_buf_queue\nkworker/u16:3: [name:report\u0026]\n\nkworker/u16:3: [name:report\u0026]read-write to 0xffffff8105f35b94 of 1 bytes by task 20865 on cpu 7:\nkworker/u16:3:\u00a0 v4l2_m2m_buf_queue+0xd8/0x10c"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:06.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/690dd4780b3f4d755e4e7883e8c3d1b5052f6bf2"
},
{
"url": "https://git.kernel.org/stable/c/7fc7f87725805197388ba749a1801df33000fa50"
},
{
"url": "https://git.kernel.org/stable/c/ef009fe2010ea2a3a7045ecb72729cf366e0967b"
},
{
"url": "https://git.kernel.org/stable/c/e52de26cb37459b16213438a2c82feb155dd3bbd"
},
{
"url": "https://git.kernel.org/stable/c/1676748aa29099fc0abd71e0fb092e76e835f25c"
},
{
"url": "https://git.kernel.org/stable/c/c71aa5f1cf961264690f2560503ea396b6e3c680"
},
{
"url": "https://git.kernel.org/stable/c/e01ea1c4191ee08440b5f86db98dff695e9cedf9"
},
{
"url": "https://git.kernel.org/stable/c/56b5c3e67b0f9af3f45cf393be048ee8d8a92694"
}
],
"title": "media: v4l2-mem2mem: add lock to protect parameter num_rdy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53519",
"datePublished": "2025-10-01T11:46:06.419Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:06.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53512 (GCVE-0-2023-53512)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix a memory leak
Add a forgotten kfree().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: dbec4c9040edc15442c3ebdb65408aa9d3b82c24 Version: dbec4c9040edc15442c3ebdb65408aa9d3b82c24 Version: dbec4c9040edc15442c3ebdb65408aa9d3b82c24 Version: dbec4c9040edc15442c3ebdb65408aa9d3b82c24 Version: dbec4c9040edc15442c3ebdb65408aa9d3b82c24 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30c7c72b6cf9d8c95f9b219c9d2e4e31b15bebe5",
"status": "affected",
"version": "dbec4c9040edc15442c3ebdb65408aa9d3b82c24",
"versionType": "git"
},
{
"lessThan": "378cc0eec4aa546ce1ae17515e2dfab719d4fb1e",
"status": "affected",
"version": "dbec4c9040edc15442c3ebdb65408aa9d3b82c24",
"versionType": "git"
},
{
"lessThan": "847cdbdcd5a24c1eec9595161a23b88fef91ff42",
"status": "affected",
"version": "dbec4c9040edc15442c3ebdb65408aa9d3b82c24",
"versionType": "git"
},
{
"lessThan": "28137ea3eb05a87329a7154a8ff410d9e8bcc0a5",
"status": "affected",
"version": "dbec4c9040edc15442c3ebdb65408aa9d3b82c24",
"versionType": "git"
},
{
"lessThan": "54dd96015e8d7a2a07359e2dfebf05b529d1780c",
"status": "affected",
"version": "dbec4c9040edc15442c3ebdb65408aa9d3b82c24",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix a memory leak\n\nAdd a forgotten kfree()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:00.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30c7c72b6cf9d8c95f9b219c9d2e4e31b15bebe5"
},
{
"url": "https://git.kernel.org/stable/c/378cc0eec4aa546ce1ae17515e2dfab719d4fb1e"
},
{
"url": "https://git.kernel.org/stable/c/847cdbdcd5a24c1eec9595161a23b88fef91ff42"
},
{
"url": "https://git.kernel.org/stable/c/28137ea3eb05a87329a7154a8ff410d9e8bcc0a5"
},
{
"url": "https://git.kernel.org/stable/c/54dd96015e8d7a2a07359e2dfebf05b529d1780c"
}
],
"title": "scsi: mpt3sas: Fix a memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53512",
"datePublished": "2025-10-01T11:46:00.888Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:00.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…