Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-2229
Vulnerability from csaf_certbund
Published
2025-10-07 22:00
Modified
2025-11-20 23:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen und andere nicht näher spezifizierte Angriffe durchzuführen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren und andere nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2229 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2229.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2229 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2229"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50509",
"url": "https://lore.kernel.org/linux-cve-announce/2025100755-CVE-2022-50509-e40c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50510",
"url": "https://lore.kernel.org/linux-cve-announce/2025100701-CVE-2022-50510-c055@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50511",
"url": "https://lore.kernel.org/linux-cve-announce/2025100701-CVE-2022-50511-5d8d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50512",
"url": "https://lore.kernel.org/linux-cve-announce/2025100701-CVE-2022-50512-f95b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50513",
"url": "https://lore.kernel.org/linux-cve-announce/2025100702-CVE-2022-50513-8fee@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50514",
"url": "https://lore.kernel.org/linux-cve-announce/2025100702-CVE-2022-50514-cca3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50515",
"url": "https://lore.kernel.org/linux-cve-announce/2025100702-CVE-2022-50515-fff8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50516",
"url": "https://lore.kernel.org/linux-cve-announce/2025100703-CVE-2022-50516-3b07@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50517",
"url": "https://lore.kernel.org/linux-cve-announce/2025100703-CVE-2022-50517-6166@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50518",
"url": "https://lore.kernel.org/linux-cve-announce/2025100703-CVE-2022-50518-0bf9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50519",
"url": "https://lore.kernel.org/linux-cve-announce/2025100704-CVE-2022-50519-4c44@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50520",
"url": "https://lore.kernel.org/linux-cve-announce/2025100704-CVE-2022-50520-9faa@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50521",
"url": "https://lore.kernel.org/linux-cve-announce/2025100704-CVE-2022-50521-fd26@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50522",
"url": "https://lore.kernel.org/linux-cve-announce/2025100704-CVE-2022-50522-fb63@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50523",
"url": "https://lore.kernel.org/linux-cve-announce/2025100705-CVE-2022-50523-d569@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50524",
"url": "https://lore.kernel.org/linux-cve-announce/2025100705-CVE-2022-50524-f437@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50525",
"url": "https://lore.kernel.org/linux-cve-announce/2025100705-CVE-2022-50525-e70b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50526",
"url": "https://lore.kernel.org/linux-cve-announce/2025100706-CVE-2022-50526-abd9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50527",
"url": "https://lore.kernel.org/linux-cve-announce/2025100706-CVE-2022-50527-de17@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50528",
"url": "https://lore.kernel.org/linux-cve-announce/2025100706-CVE-2022-50528-1d20@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50529",
"url": "https://lore.kernel.org/linux-cve-announce/2025100707-CVE-2022-50529-d55b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50530",
"url": "https://lore.kernel.org/linux-cve-announce/2025100707-CVE-2022-50530-ef6b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50531",
"url": "https://lore.kernel.org/linux-cve-announce/2025100707-CVE-2022-50531-a29b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50532",
"url": "https://lore.kernel.org/linux-cve-announce/2025100708-CVE-2022-50532-430b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50533",
"url": "https://lore.kernel.org/linux-cve-announce/2025100708-CVE-2022-50533-7dfc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50534",
"url": "https://lore.kernel.org/linux-cve-announce/2025100708-CVE-2022-50534-8900@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50535",
"url": "https://lore.kernel.org/linux-cve-announce/2025100753-CVE-2022-50535-a9a9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50536",
"url": "https://lore.kernel.org/linux-cve-announce/2025100754-CVE-2022-50536-baea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50537",
"url": "https://lore.kernel.org/linux-cve-announce/2025100754-CVE-2022-50537-897a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50538",
"url": "https://lore.kernel.org/linux-cve-announce/2025100754-CVE-2022-50538-3f3d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50539",
"url": "https://lore.kernel.org/linux-cve-announce/2025100755-CVE-2022-50539-4f53@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50540",
"url": "https://lore.kernel.org/linux-cve-announce/2025100755-CVE-2022-50540-46a8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50541",
"url": "https://lore.kernel.org/linux-cve-announce/2025100756-CVE-2022-50541-e1fe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50542",
"url": "https://lore.kernel.org/linux-cve-announce/2025100756-CVE-2022-50542-e0eb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50543",
"url": "https://lore.kernel.org/linux-cve-announce/2025100756-CVE-2022-50543-597d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50544",
"url": "https://lore.kernel.org/linux-cve-announce/2025100757-CVE-2022-50544-f012@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50545",
"url": "https://lore.kernel.org/linux-cve-announce/2025100757-CVE-2022-50545-f879@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50546",
"url": "https://lore.kernel.org/linux-cve-announce/2025100757-CVE-2022-50546-ef71@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50547",
"url": "https://lore.kernel.org/linux-cve-announce/2025100758-CVE-2022-50547-5bb8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50548",
"url": "https://lore.kernel.org/linux-cve-announce/2025100758-CVE-2022-50548-5721@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50549",
"url": "https://lore.kernel.org/linux-cve-announce/2025100758-CVE-2022-50549-cb07@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50550",
"url": "https://lore.kernel.org/linux-cve-announce/2025100759-CVE-2022-50550-7147@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50551",
"url": "https://lore.kernel.org/linux-cve-announce/2025100759-CVE-2022-50551-7398@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50552",
"url": "https://lore.kernel.org/linux-cve-announce/2025100759-CVE-2022-50552-5100@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50553",
"url": "https://lore.kernel.org/linux-cve-announce/2025100700-CVE-2022-50553-8917@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50554",
"url": "https://lore.kernel.org/linux-cve-announce/2025100700-CVE-2022-50554-f4fb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50555",
"url": "https://lore.kernel.org/linux-cve-announce/2025100700-CVE-2022-50555-18e1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53617",
"url": "https://lore.kernel.org/linux-cve-announce/2025100708-CVE-2023-53617-909b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53618",
"url": "https://lore.kernel.org/linux-cve-announce/2025100709-CVE-2023-53618-7074@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53619",
"url": "https://lore.kernel.org/linux-cve-announce/2025100709-CVE-2023-53619-03f0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53620",
"url": "https://lore.kernel.org/linux-cve-announce/2025100709-CVE-2023-53620-3924@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53621",
"url": "https://lore.kernel.org/linux-cve-announce/2025100710-CVE-2023-53621-b6f9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53622",
"url": "https://lore.kernel.org/linux-cve-announce/2025100710-CVE-2023-53622-2f9b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53623",
"url": "https://lore.kernel.org/linux-cve-announce/2025100710-CVE-2023-53623-2687@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53624",
"url": "https://lore.kernel.org/linux-cve-announce/2025100711-CVE-2023-53624-7a7c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53625",
"url": "https://lore.kernel.org/linux-cve-announce/2025100711-CVE-2023-53625-3f41@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53626",
"url": "https://lore.kernel.org/linux-cve-announce/2025100711-CVE-2023-53626-24ed@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53627",
"url": "https://lore.kernel.org/linux-cve-announce/2025100711-CVE-2023-53627-aaa6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53628",
"url": "https://lore.kernel.org/linux-cve-announce/2025100712-CVE-2023-53628-a5b2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53629",
"url": "https://lore.kernel.org/linux-cve-announce/2025100712-CVE-2023-53629-042c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53630",
"url": "https://lore.kernel.org/linux-cve-announce/2025100712-CVE-2023-53630-4242@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53631",
"url": "https://lore.kernel.org/linux-cve-announce/2025100713-CVE-2023-53631-0542@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53632",
"url": "https://lore.kernel.org/linux-cve-announce/2025100713-CVE-2023-53632-d2de@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53633",
"url": "https://lore.kernel.org/linux-cve-announce/2025100713-CVE-2023-53633-0983@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53634",
"url": "https://lore.kernel.org/linux-cve-announce/2025100714-CVE-2023-53634-8155@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53635",
"url": "https://lore.kernel.org/linux-cve-announce/2025100714-CVE-2023-53635-de6f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53636",
"url": "https://lore.kernel.org/linux-cve-announce/2025100714-CVE-2023-53636-20bd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53637",
"url": "https://lore.kernel.org/linux-cve-announce/2025100715-CVE-2023-53637-32c9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53638",
"url": "https://lore.kernel.org/linux-cve-announce/2025100715-CVE-2023-53638-ded7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53639",
"url": "https://lore.kernel.org/linux-cve-announce/2025100715-CVE-2023-53639-2919@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53640",
"url": "https://lore.kernel.org/linux-cve-announce/2025100715-CVE-2023-53640-3db3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53641",
"url": "https://lore.kernel.org/linux-cve-announce/2025100716-CVE-2023-53641-ed0e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53642",
"url": "https://lore.kernel.org/linux-cve-announce/2025100716-CVE-2023-53642-a8f8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53643",
"url": "https://lore.kernel.org/linux-cve-announce/2025100716-CVE-2023-53643-4725@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53644",
"url": "https://lore.kernel.org/linux-cve-announce/2025100717-CVE-2023-53644-efaa@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53645",
"url": "https://lore.kernel.org/linux-cve-announce/2025100717-CVE-2023-53645-6c08@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53646",
"url": "https://lore.kernel.org/linux-cve-announce/2025100717-CVE-2023-53646-c40e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53647",
"url": "https://lore.kernel.org/linux-cve-announce/2025100718-CVE-2023-53647-c01f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53648",
"url": "https://lore.kernel.org/linux-cve-announce/2025100718-CVE-2023-53648-3c04@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53649",
"url": "https://lore.kernel.org/linux-cve-announce/2025100718-CVE-2023-53649-0a4a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53650",
"url": "https://lore.kernel.org/linux-cve-announce/2025100718-CVE-2023-53650-4628@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53651",
"url": "https://lore.kernel.org/linux-cve-announce/2025100719-CVE-2023-53651-c6c7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53652",
"url": "https://lore.kernel.org/linux-cve-announce/2025100719-CVE-2023-53652-d67a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53653",
"url": "https://lore.kernel.org/linux-cve-announce/2025100719-CVE-2023-53653-6f54@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53654",
"url": "https://lore.kernel.org/linux-cve-announce/2025100720-CVE-2023-53654-dcad@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53655",
"url": "https://lore.kernel.org/linux-cve-announce/2025100701-CVE-2023-53655-d389@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53656",
"url": "https://lore.kernel.org/linux-cve-announce/2025100701-CVE-2023-53656-1a7b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53657",
"url": "https://lore.kernel.org/linux-cve-announce/2025100701-CVE-2023-53657-d0c7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53658",
"url": "https://lore.kernel.org/linux-cve-announce/2025100701-CVE-2023-53658-3680@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53659",
"url": "https://lore.kernel.org/linux-cve-announce/2025100702-CVE-2023-53659-8f24@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53660",
"url": "https://lore.kernel.org/linux-cve-announce/2025100702-CVE-2023-53660-92d3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53661",
"url": "https://lore.kernel.org/linux-cve-announce/2025100702-CVE-2023-53661-6142@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53662",
"url": "https://lore.kernel.org/linux-cve-announce/2025100703-CVE-2023-53662-475f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53663",
"url": "https://lore.kernel.org/linux-cve-announce/2025100703-CVE-2023-53663-0a4e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53664",
"url": "https://lore.kernel.org/linux-cve-announce/2025100703-CVE-2023-53664-a38d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53665",
"url": "https://lore.kernel.org/linux-cve-announce/2025100704-CVE-2023-53665-3411@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53666",
"url": "https://lore.kernel.org/linux-cve-announce/2025100704-CVE-2023-53666-62bb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53667",
"url": "https://lore.kernel.org/linux-cve-announce/2025100704-CVE-2023-53667-9b2e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53668",
"url": "https://lore.kernel.org/linux-cve-announce/2025100705-CVE-2023-53668-b06b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53669",
"url": "https://lore.kernel.org/linux-cve-announce/2025100705-CVE-2023-53669-f81f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53670",
"url": "https://lore.kernel.org/linux-cve-announce/2025100705-CVE-2023-53670-46fe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53671",
"url": "https://lore.kernel.org/linux-cve-announce/2025100705-CVE-2023-53671-a34e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53672",
"url": "https://lore.kernel.org/linux-cve-announce/2025100706-CVE-2023-53672-cfad@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53673",
"url": "https://lore.kernel.org/linux-cve-announce/2025100706-CVE-2023-53673-36b9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53674",
"url": "https://lore.kernel.org/linux-cve-announce/2025100706-CVE-2023-53674-af85@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53675",
"url": "https://lore.kernel.org/linux-cve-announce/2025100707-CVE-2023-53675-e7ac@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53676",
"url": "https://lore.kernel.org/linux-cve-announce/2025100707-CVE-2023-53676-e7fb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53677",
"url": "https://lore.kernel.org/linux-cve-announce/2025100707-CVE-2023-53677-1cc8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53678",
"url": "https://lore.kernel.org/linux-cve-announce/2025100708-CVE-2023-53678-b370@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53679",
"url": "https://lore.kernel.org/linux-cve-announce/2025100708-CVE-2023-53679-929a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53680",
"url": "https://lore.kernel.org/linux-cve-announce/2025100708-CVE-2023-53680-501d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53681",
"url": "https://lore.kernel.org/linux-cve-announce/2025100708-CVE-2023-53681-7a5a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53682",
"url": "https://lore.kernel.org/linux-cve-announce/2025100709-CVE-2023-53682-10e4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53683",
"url": "https://lore.kernel.org/linux-cve-announce/2025100709-CVE-2023-53683-249f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53684",
"url": "https://lore.kernel.org/linux-cve-announce/2025100709-CVE-2023-53684-db58@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53685",
"url": "https://lore.kernel.org/linux-cve-announce/2025100710-CVE-2023-53685-68d1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53686",
"url": "https://lore.kernel.org/linux-cve-announce/2025100710-CVE-2023-53686-f117@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53687",
"url": "https://lore.kernel.org/linux-cve-announce/2025100710-CVE-2023-53687-c50c@gregkh/"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2-2025-3075 vom 2025-11-11",
"url": "https://alas.aws.amazon.com/AL2/ALAS2-2025-3075.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2025-110 vom 2025-11-11",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-110.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.4-2025-114 vom 2025-11-11",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.4-2025-114.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4057-1 vom 2025-11-11",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023254.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4111-1 vom 2025-11-17",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023294.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4135-1 vom 2025-11-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023300.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4128-1 vom 2025-11-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023299.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4132-1 vom 2025-11-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023302.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4139-1 vom 2025-11-19",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023306.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4141-1 vom 2025-11-19",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023304.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4140-1 vom 2025-11-19",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023305.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4149-1 vom 2025-11-20",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023309.html"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-11-20T23:00:00.000+00:00",
"generator": {
"date": "2025-11-21T08:23:32.570+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2229",
"initial_release_date": "2025-10-07T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-07T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-10-08T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-32037, EUVD-2025-32011, EUVD-2025-32012, EUVD-2025-32013, EUVD-2025-32021, EUVD-2025-32022, EUVD-2025-32023, EUVD-2025-32031, EUVD-2025-32032, EUVD-2025-32033, EUVD-2025-32035, EUVD-2025-32036, EUVD-2025-32038, EUVD-2025-32039, EUVD-2025-32040, EUVD-2025-32041, EUVD-2025-32042, EUVD-2025-32043, EUVD-2025-32044, EUVD-2025-32045, EUVD-2025-32046, EUVD-2025-32047, EUVD-2025-32051, EUVD-2025-32052, EUVD-2025-32014, EUVD-2025-32015, EUVD-2025-32016, EUVD-2025-32017, EUVD-2025-32018, EUVD-2025-32019, EUVD-2025-32020, EUVD-2025-32005, EUVD-2025-32006, EUVD-2025-32007, EUVD-2025-32008, EUVD-2025-32009, EUVD-2025-32010"
},
{
"date": "2025-11-10T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2025-11-11T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-16T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-18T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-19T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-20T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "8"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T047475",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50509",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50509"
},
{
"cve": "CVE-2022-50510",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50510"
},
{
"cve": "CVE-2022-50511",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50511"
},
{
"cve": "CVE-2022-50512",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50512"
},
{
"cve": "CVE-2022-50513",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50513"
},
{
"cve": "CVE-2022-50514",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50514"
},
{
"cve": "CVE-2022-50515",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50515"
},
{
"cve": "CVE-2022-50516",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50516"
},
{
"cve": "CVE-2022-50517",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50517"
},
{
"cve": "CVE-2022-50518",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50518"
},
{
"cve": "CVE-2022-50519",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50519"
},
{
"cve": "CVE-2022-50520",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50520"
},
{
"cve": "CVE-2022-50521",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50521"
},
{
"cve": "CVE-2022-50522",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50522"
},
{
"cve": "CVE-2022-50523",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50523"
},
{
"cve": "CVE-2022-50524",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50524"
},
{
"cve": "CVE-2022-50525",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50525"
},
{
"cve": "CVE-2022-50526",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50526"
},
{
"cve": "CVE-2022-50527",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50527"
},
{
"cve": "CVE-2022-50528",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50528"
},
{
"cve": "CVE-2022-50529",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50529"
},
{
"cve": "CVE-2022-50530",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50530"
},
{
"cve": "CVE-2022-50531",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50531"
},
{
"cve": "CVE-2022-50532",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50532"
},
{
"cve": "CVE-2022-50533",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50533"
},
{
"cve": "CVE-2022-50534",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50534"
},
{
"cve": "CVE-2022-50535",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50535"
},
{
"cve": "CVE-2022-50536",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50536"
},
{
"cve": "CVE-2022-50537",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50537"
},
{
"cve": "CVE-2022-50538",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50538"
},
{
"cve": "CVE-2022-50539",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50539"
},
{
"cve": "CVE-2022-50540",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50540"
},
{
"cve": "CVE-2022-50541",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50541"
},
{
"cve": "CVE-2022-50542",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50542"
},
{
"cve": "CVE-2022-50543",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50543"
},
{
"cve": "CVE-2022-50544",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50544"
},
{
"cve": "CVE-2022-50545",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50545"
},
{
"cve": "CVE-2022-50546",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50546"
},
{
"cve": "CVE-2022-50547",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50547"
},
{
"cve": "CVE-2022-50548",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50548"
},
{
"cve": "CVE-2022-50549",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50549"
},
{
"cve": "CVE-2022-50550",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50550"
},
{
"cve": "CVE-2022-50551",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50551"
},
{
"cve": "CVE-2022-50552",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50552"
},
{
"cve": "CVE-2022-50553",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50553"
},
{
"cve": "CVE-2022-50554",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50554"
},
{
"cve": "CVE-2022-50555",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2022-50555"
},
{
"cve": "CVE-2023-3773",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-3773"
},
{
"cve": "CVE-2023-53617",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53617"
},
{
"cve": "CVE-2023-53618",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53618"
},
{
"cve": "CVE-2023-53619",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53619"
},
{
"cve": "CVE-2023-53620",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53620"
},
{
"cve": "CVE-2023-53621",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53621"
},
{
"cve": "CVE-2023-53622",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53622"
},
{
"cve": "CVE-2023-53623",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53623"
},
{
"cve": "CVE-2023-53624",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53624"
},
{
"cve": "CVE-2023-53625",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53625"
},
{
"cve": "CVE-2023-53626",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53626"
},
{
"cve": "CVE-2023-53627",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53627"
},
{
"cve": "CVE-2023-53628",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53628"
},
{
"cve": "CVE-2023-53629",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53629"
},
{
"cve": "CVE-2023-53630",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53630"
},
{
"cve": "CVE-2023-53631",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53631"
},
{
"cve": "CVE-2023-53632",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53632"
},
{
"cve": "CVE-2023-53633",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53633"
},
{
"cve": "CVE-2023-53634",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53634"
},
{
"cve": "CVE-2023-53635",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53635"
},
{
"cve": "CVE-2023-53636",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53636"
},
{
"cve": "CVE-2023-53637",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53637"
},
{
"cve": "CVE-2023-53638",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53638"
},
{
"cve": "CVE-2023-53639",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53639"
},
{
"cve": "CVE-2023-53640",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53640"
},
{
"cve": "CVE-2023-53641",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53641"
},
{
"cve": "CVE-2023-53642",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53642"
},
{
"cve": "CVE-2023-53643",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53643"
},
{
"cve": "CVE-2023-53644",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53644"
},
{
"cve": "CVE-2023-53645",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53645"
},
{
"cve": "CVE-2023-53646",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53646"
},
{
"cve": "CVE-2023-53647",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53647"
},
{
"cve": "CVE-2023-53648",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53648"
},
{
"cve": "CVE-2023-53649",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53649"
},
{
"cve": "CVE-2023-53650",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53650"
},
{
"cve": "CVE-2023-53651",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53651"
},
{
"cve": "CVE-2023-53652",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53652"
},
{
"cve": "CVE-2023-53653",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53653"
},
{
"cve": "CVE-2023-53654",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53654"
},
{
"cve": "CVE-2023-53655",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53655"
},
{
"cve": "CVE-2023-53656",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53656"
},
{
"cve": "CVE-2023-53657",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53657"
},
{
"cve": "CVE-2023-53658",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53658"
},
{
"cve": "CVE-2023-53659",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53659"
},
{
"cve": "CVE-2023-53660",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53660"
},
{
"cve": "CVE-2023-53661",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53661"
},
{
"cve": "CVE-2023-53662",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53662"
},
{
"cve": "CVE-2023-53663",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53663"
},
{
"cve": "CVE-2023-53664",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53664"
},
{
"cve": "CVE-2023-53665",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53665"
},
{
"cve": "CVE-2023-53666",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53666"
},
{
"cve": "CVE-2023-53667",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53667"
},
{
"cve": "CVE-2023-53668",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53668"
},
{
"cve": "CVE-2023-53669",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53669"
},
{
"cve": "CVE-2023-53670",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53670"
},
{
"cve": "CVE-2023-53671",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53671"
},
{
"cve": "CVE-2023-53672",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53672"
},
{
"cve": "CVE-2023-53673",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53673"
},
{
"cve": "CVE-2023-53674",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53674"
},
{
"cve": "CVE-2023-53675",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53675"
},
{
"cve": "CVE-2023-53676",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53676"
},
{
"cve": "CVE-2023-53677",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53677"
},
{
"cve": "CVE-2023-53678",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53678"
},
{
"cve": "CVE-2023-53679",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53679"
},
{
"cve": "CVE-2023-53680",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53680"
},
{
"cve": "CVE-2023-53681",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53681"
},
{
"cve": "CVE-2023-53682",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53682"
},
{
"cve": "CVE-2023-53683",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53683"
},
{
"cve": "CVE-2023-53684",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53684"
},
{
"cve": "CVE-2023-53685",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53685"
},
{
"cve": "CVE-2023-53686",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53686"
},
{
"cve": "CVE-2023-53687",
"product_status": {
"known_affected": [
"T002207",
"T047475",
"398363"
]
},
"release_date": "2025-10-07T22:00:00.000+00:00",
"title": "CVE-2023-53687"
}
]
}
CVE-2023-53641 (GCVE-0-2023-53641)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
hif_dev->remain_skb is allocated and used exclusively in
ath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is
processed and subsequently freed (in error paths) only during the next
call of ath9k_hif_usb_rx_stream().
So, if the urbs are deallocated between those two calls due to the device
deinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()
is not called next time and the allocated remain_skb is leaked. Our local
Syzkaller instance was able to trigger that.
remain_skb makes sense when receiving two consecutive urbs which are
logically linked together, i.e. a specific data field from the first skb
indicates a cached skb to be allocated, memcpy'd with some data and
subsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs
deallocation supposedly makes that link irrelevant so we need to free the
cached skb in those cases.
Fix the leak by introducing a function to explicitly free remain_skb (if
it is not NULL) when the rx urbs have been deallocated. remain_skb is NULL
when it has not been allocated at all (hif_dev struct is kzalloced) or
when it has been processed in next call to ath9k_hif_usb_rx_stream().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6719e3797ec52cd144c8a5ba8aaab36674800585",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "d9899318660791141ea6002fda5577b2c5d7386e",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "320d760a35273aa815d58b57e4fd9ba5279a3489",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "59073060fe0950c6ecbe12bdc06469dcac62128d",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "9b9356a3014123f0ce4b50d9278c1265173150ab",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "f0931fc8f4b6847c72e170d2326861c0a081d680",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "8f02d538878c9b1501f624595eb22ee4e5e0ff84",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "7654cc03eb699297130b693ec34e25f77b17c947",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of remain_skbs\n\nhif_dev-\u003eremain_skb is allocated and used exclusively in\nath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is\nprocessed and subsequently freed (in error paths) only during the next\ncall of ath9k_hif_usb_rx_stream().\n\nSo, if the urbs are deallocated between those two calls due to the device\ndeinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()\nis not called next time and the allocated remain_skb is leaked. Our local\nSyzkaller instance was able to trigger that.\n\nremain_skb makes sense when receiving two consecutive urbs which are\nlogically linked together, i.e. a specific data field from the first skb\nindicates a cached skb to be allocated, memcpy\u0027d with some data and\nsubsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs\ndeallocation supposedly makes that link irrelevant so we need to free the\ncached skb in those cases.\n\nFix the leak by introducing a function to explicitly free remain_skb (if\nit is not NULL) when the rx urbs have been deallocated. remain_skb is NULL\nwhen it has not been allocated at all (hif_dev struct is kzalloced) or\nwhen it has been processed in next call to ath9k_hif_usb_rx_stream().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:41.028Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6719e3797ec52cd144c8a5ba8aaab36674800585"
},
{
"url": "https://git.kernel.org/stable/c/d9899318660791141ea6002fda5577b2c5d7386e"
},
{
"url": "https://git.kernel.org/stable/c/320d760a35273aa815d58b57e4fd9ba5279a3489"
},
{
"url": "https://git.kernel.org/stable/c/59073060fe0950c6ecbe12bdc06469dcac62128d"
},
{
"url": "https://git.kernel.org/stable/c/9b9356a3014123f0ce4b50d9278c1265173150ab"
},
{
"url": "https://git.kernel.org/stable/c/f0931fc8f4b6847c72e170d2326861c0a081d680"
},
{
"url": "https://git.kernel.org/stable/c/8f02d538878c9b1501f624595eb22ee4e5e0ff84"
},
{
"url": "https://git.kernel.org/stable/c/7654cc03eb699297130b693ec34e25f77b17c947"
}
],
"title": "wifi: ath9k: hif_usb: fix memory leak of remain_skbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53641",
"datePublished": "2025-10-07T15:19:41.028Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:41.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53670 (GCVE-0-2023-53670)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-core: fix dev_pm_qos memleak
Call dev_pm_qos_hide_latency_tolerance() in the error unwind patch to
avoid following kmemleak:-
blktests (master) # kmemleak-clear; ./check nvme/044;
blktests (master) # kmemleak-scan ; kmemleak-show
nvme/044 (Test bi-directional authentication) [passed]
runtime 2.111s ... 2.124s
unreferenced object 0xffff888110c46240 (size 96):
comm "nvme", pid 33461, jiffies 4345365353 (age 75.586s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000069ac2cec>] kmalloc_trace+0x25/0x90
[<000000006acc66d5>] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100
[<00000000cc376ea7>] nvme_init_ctrl+0x38e/0x410 [nvme_core]
[<000000007df61b4b>] 0xffffffffc05e88b3
[<00000000d152b985>] 0xffffffffc05744cb
[<00000000f04a4041>] vfs_write+0xc5/0x3c0
[<00000000f9491baf>] ksys_write+0x5f/0xe0
[<000000001c46513d>] do_syscall_64+0x3b/0x90
[<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1379e067b9485e5af03399fe3f0d39bccb023ad",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "7237c26431cc78e5ec3259f4350f3dd58f6a4319",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "2ed9a89192e3192e5fea7ff6475c8722513f325e",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "7ed5cf8e6d9bfb6a78d0471317edff14f0f2b4dd",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix dev_pm_qos memleak\n\nCall dev_pm_qos_hide_latency_tolerance() in the error unwind patch to\navoid following kmemleak:-\n\nblktests (master) # kmemleak-clear; ./check nvme/044;\nblktests (master) # kmemleak-scan ; kmemleak-show\nnvme/044 (Test bi-directional authentication) [passed]\n runtime 2.111s ... 2.124s\nunreferenced object 0xffff888110c46240 (size 96):\n comm \"nvme\", pid 33461, jiffies 4345365353 (age 75.586s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c0000000069ac2cec\u003e] kmalloc_trace+0x25/0x90\n [\u003c000000006acc66d5\u003e] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100\n [\u003c00000000cc376ea7\u003e] nvme_init_ctrl+0x38e/0x410 [nvme_core]\n [\u003c000000007df61b4b\u003e] 0xffffffffc05e88b3\n [\u003c00000000d152b985\u003e] 0xffffffffc05744cb\n [\u003c00000000f04a4041\u003e] vfs_write+0xc5/0x3c0\n [\u003c00000000f9491baf\u003e] ksys_write+0x5f/0xe0\n [\u003c000000001c46513d\u003e] do_syscall_64+0x3b/0x90\n [\u003c00000000ecf348fe\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:27.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1379e067b9485e5af03399fe3f0d39bccb023ad"
},
{
"url": "https://git.kernel.org/stable/c/7237c26431cc78e5ec3259f4350f3dd58f6a4319"
},
{
"url": "https://git.kernel.org/stable/c/2ed9a89192e3192e5fea7ff6475c8722513f325e"
},
{
"url": "https://git.kernel.org/stable/c/7ed5cf8e6d9bfb6a78d0471317edff14f0f2b4dd"
}
],
"title": "nvme-core: fix dev_pm_qos memleak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53670",
"datePublished": "2025-10-07T15:21:27.626Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:27.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50509 (GCVE-0-2022-50509)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: coda: Add check for kmalloc
As the kmalloc may return NULL pointer,
it should be better to check the return value
in order to avoid NULL poineter dereference,
same as the others.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/coda-bit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d308c4a035b636756786af91e5f39f9d92d7d42a",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "11e32126b3e56c3156fb610d793732acd2bdac4f",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "ba9cc9e2035f7a45f5222543265daf7cd51f2530",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "7a2c66429b04e85fee44d6d9f455327bf23cf49c",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "d9b37ea8869e4e6da90c07a310d819a78cbd23d2",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "441c05485cf1a29eef05c1fd8281716815283315",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "aa17a252dbde432095e390e2092205d4debb12e1",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "0209e70ad496c1fcd85c2ec70e6736fd09f95d14",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "6e5e5defdb8b0186312c2f855ace175aee6daf9b",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/coda-bit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: coda: Add check for kmalloc\n\nAs the kmalloc may return NULL pointer,\nit should be better to check the return value\nin order to avoid NULL poineter dereference,\nsame as the others."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:06.661Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d308c4a035b636756786af91e5f39f9d92d7d42a"
},
{
"url": "https://git.kernel.org/stable/c/11e32126b3e56c3156fb610d793732acd2bdac4f"
},
{
"url": "https://git.kernel.org/stable/c/ba9cc9e2035f7a45f5222543265daf7cd51f2530"
},
{
"url": "https://git.kernel.org/stable/c/7a2c66429b04e85fee44d6d9f455327bf23cf49c"
},
{
"url": "https://git.kernel.org/stable/c/d9b37ea8869e4e6da90c07a310d819a78cbd23d2"
},
{
"url": "https://git.kernel.org/stable/c/441c05485cf1a29eef05c1fd8281716815283315"
},
{
"url": "https://git.kernel.org/stable/c/aa17a252dbde432095e390e2092205d4debb12e1"
},
{
"url": "https://git.kernel.org/stable/c/0209e70ad496c1fcd85c2ec70e6736fd09f95d14"
},
{
"url": "https://git.kernel.org/stable/c/6e5e5defdb8b0186312c2f855ace175aee6daf9b"
}
],
"title": "media: coda: Add check for kmalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50509",
"datePublished": "2025-10-07T15:19:06.661Z",
"dateReserved": "2025-10-04T15:39:19.466Z",
"dateUpdated": "2025-10-07T15:19:06.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50531 (GCVE-0-2022-50531)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix an information leak in tipc_topsrv_kern_subscr
Use a 8-byte write to initialize sub.usr_handle in
tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized
when issuing setsockopt(..., SOL_TIPC, ...).
This resulted in an infoleak reported by KMSAN when the packet was
received:
=====================================================
BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169
instrument_copy_to_user ./include/linux/instrumented.h:121
copyout+0xbc/0x100 lib/iov_iter.c:169
_copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527
copy_to_iter ./include/linux/uio.h:176
simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527
skb_copy_datagram_msg ./include/linux/skbuff.h:3903
packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469
____sys_recvmsg+0x2c4/0x810 net/socket.c:?
___sys_recvmsg+0x217/0x840 net/socket.c:2743
__sys_recvmsg net/socket.c:2773
__do_sys_recvmsg net/socket.c:2783
__se_sys_recvmsg net/socket.c:2780
__x64_sys_recvmsg+0x364/0x540 net/socket.c:2780
do_syscall_x64 arch/x86/entry/common.c:50
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
...
Uninit was stored to memory at:
tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156
tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375
tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579
tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084
tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201
__sys_setsockopt+0x87f/0xdc0 net/socket.c:2252
__do_sys_setsockopt net/socket.c:2263
__se_sys_setsockopt net/socket.c:2260
__x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:50
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
Local variable sub created at:
tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562
tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
Bytes 84-87 of 88 are uninitialized
Memory access of size 88 starts at ffff88801ed57cd0
Data copied to user address 0000000020000400
...
=====================================================
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/topsrv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d1b83ff7b6575a4e41283203e6b2e25ea700cd7",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "567f8de358b61015dcfb8878a1f06c5369a45f54",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "e558e148938442dd49628cd7ef61c360832bef31",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "dbc01c0a4e202a7e925dad1d4b7c1d6eb0c81154",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "fef70f978bc289642501d88d2a3f5e841bd31a67",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "777ecaabd614d47c482a5c9031579e66da13989a",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/topsrv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.221",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix an information leak in tipc_topsrv_kern_subscr\n\nUse a 8-byte write to initialize sub.usr_handle in\ntipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized\nwhen issuing setsockopt(..., SOL_TIPC, ...).\nThis resulted in an infoleak reported by KMSAN when the packet was\nreceived:\n\n =====================================================\n BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169\n instrument_copy_to_user ./include/linux/instrumented.h:121\n copyout+0xbc/0x100 lib/iov_iter.c:169\n _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527\n copy_to_iter ./include/linux/uio.h:176\n simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\n skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527\n skb_copy_datagram_msg ./include/linux/skbuff.h:3903\n packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469\n ____sys_recvmsg+0x2c4/0x810 net/socket.c:?\n ___sys_recvmsg+0x217/0x840 net/socket.c:2743\n __sys_recvmsg net/socket.c:2773\n __do_sys_recvmsg net/socket.c:2783\n __se_sys_recvmsg net/socket.c:2780\n __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780\n do_syscall_x64 arch/x86/entry/common.c:50\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n\n ...\n\n Uninit was stored to memory at:\n tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156\n tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375\n tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\n tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084\n tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201\n __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252\n __do_sys_setsockopt net/socket.c:2263\n __se_sys_setsockopt net/socket.c:2260\n __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260\n do_syscall_x64 arch/x86/entry/common.c:50\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n\n Local variable sub created at:\n tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\n\n Bytes 84-87 of 88 are uninitialized\n Memory access of size 88 starts at ffff88801ed57cd0\n Data copied to user address 0000000020000400\n ...\n ====================================================="
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:21.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d1b83ff7b6575a4e41283203e6b2e25ea700cd7"
},
{
"url": "https://git.kernel.org/stable/c/567f8de358b61015dcfb8878a1f06c5369a45f54"
},
{
"url": "https://git.kernel.org/stable/c/e558e148938442dd49628cd7ef61c360832bef31"
},
{
"url": "https://git.kernel.org/stable/c/dbc01c0a4e202a7e925dad1d4b7c1d6eb0c81154"
},
{
"url": "https://git.kernel.org/stable/c/fef70f978bc289642501d88d2a3f5e841bd31a67"
},
{
"url": "https://git.kernel.org/stable/c/777ecaabd614d47c482a5c9031579e66da13989a"
}
],
"title": "tipc: fix an information leak in tipc_topsrv_kern_subscr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50531",
"datePublished": "2025-10-07T15:19:21.911Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:21.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53645 (GCVE-0-2023-53645)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Make bpf_refcount_acquire fallible for non-owning refs
This patch fixes an incorrect assumption made in the original
bpf_refcount series [0], specifically that the BPF program calling
bpf_refcount_acquire on some node can always guarantee that the node is
alive. In that series, the patch adding failure behavior to rbtree_add
and list_push_{front, back} breaks this assumption for non-owning
references.
Consider the following program:
n = bpf_kptr_xchg(&mapval, NULL);
/* skip error checking */
bpf_spin_lock(&l);
if(bpf_rbtree_add(&t, &n->rb, less)) {
bpf_refcount_acquire(n);
/* Failed to add, do something else with the node */
}
bpf_spin_unlock(&l);
It's incorrect to assume that bpf_refcount_acquire will always succeed in this
scenario. bpf_refcount_acquire is being called in a critical section
here, but the lock being held is associated with rbtree t, which isn't
necessarily the lock associated with the tree that the node is already
in. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop
in it, the program has no ownership of the node's lifetime. Therefore
the node's refcount can be decr'd to 0 at any time after the failing
rbtree_add. If this happens before the refcount_acquire above, the node
might be free'd, and regardless refcount_acquire will be incrementing a
0 refcount.
Later patches in the series exercise this scenario, resulting in the
expected complaint from the kernel (without this patch's changes):
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110
Modules linked in: bpf_testmod(O)
CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0xbc/0x110
Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff <0f> 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7
RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680
RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7
R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388
R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048
FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
bpf_refcount_acquire_impl+0xb5/0xc0
(rest of output snipped)
The patch addresses this by changing bpf_refcount_acquire_impl to use
refcount_inc_not_zero instead of refcount_inc and marking
bpf_refcount_acquire KF_RET_NULL.
For owning references, though, we know the above scenario is not possible
and thus that bpf_refcount_acquire will always succeed. Some verifier
bookkeeping is added to track "is input owning ref?" for bpf_refcount_acquire
calls and return false from is_kfunc_ret_null for bpf_refcount_acquire on
owning refs despite it being marked KF_RET_NULL.
Existing selftests using bpf_refcount_acquire are modified where
necessary to NULL-check its return value.
[0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c",
"kernel/bpf/verifier.c",
"tools/testing/selftests/bpf/progs/refcounted_kptr.c",
"tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d906d1b940b9dbf0a3e821d6b32a51c369273d91",
"status": "affected",
"version": "d2dcc67df910dd85253a701b6a5b747f955d28f5",
"versionType": "git"
},
{
"lessThan": "7793fc3babe9fea908e57f7c187ea819f9fd7e95",
"status": "affected",
"version": "d2dcc67df910dd85253a701b6a5b747f955d28f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c",
"kernel/bpf/verifier.c",
"tools/testing/selftests/bpf/progs/refcounted_kptr.c",
"tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Make bpf_refcount_acquire fallible for non-owning refs\n\nThis patch fixes an incorrect assumption made in the original\nbpf_refcount series [0], specifically that the BPF program calling\nbpf_refcount_acquire on some node can always guarantee that the node is\nalive. In that series, the patch adding failure behavior to rbtree_add\nand list_push_{front, back} breaks this assumption for non-owning\nreferences.\n\nConsider the following program:\n\n n = bpf_kptr_xchg(\u0026mapval, NULL);\n /* skip error checking */\n\n bpf_spin_lock(\u0026l);\n if(bpf_rbtree_add(\u0026t, \u0026n-\u003erb, less)) {\n bpf_refcount_acquire(n);\n /* Failed to add, do something else with the node */\n }\n bpf_spin_unlock(\u0026l);\n\nIt\u0027s incorrect to assume that bpf_refcount_acquire will always succeed in this\nscenario. bpf_refcount_acquire is being called in a critical section\nhere, but the lock being held is associated with rbtree t, which isn\u0027t\nnecessarily the lock associated with the tree that the node is already\nin. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop\nin it, the program has no ownership of the node\u0027s lifetime. Therefore\nthe node\u0027s refcount can be decr\u0027d to 0 at any time after the failing\nrbtree_add. If this happens before the refcount_acquire above, the node\nmight be free\u0027d, and regardless refcount_acquire will be incrementing a\n0 refcount.\n\nLater patches in the series exercise this scenario, resulting in the\nexpected complaint from the kernel (without this patch\u0027s changes):\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110\n Modules linked in: bpf_testmod(O)\n CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\n RIP: 0010:refcount_warn_saturate+0xbc/0x110\n Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff \u003c0f\u003e 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7\n RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082\n RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\n RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680\n RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7\n R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388\n R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048\n FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n bpf_refcount_acquire_impl+0xb5/0xc0\n\n (rest of output snipped)\n\nThe patch addresses this by changing bpf_refcount_acquire_impl to use\nrefcount_inc_not_zero instead of refcount_inc and marking\nbpf_refcount_acquire KF_RET_NULL.\n\nFor owning references, though, we know the above scenario is not possible\nand thus that bpf_refcount_acquire will always succeed. Some verifier\nbookkeeping is added to track \"is input owning ref?\" for bpf_refcount_acquire\ncalls and return false from is_kfunc_ret_null for bpf_refcount_acquire on\nowning refs despite it being marked KF_RET_NULL.\n\nExisting selftests using bpf_refcount_acquire are modified where\nnecessary to NULL-check its return value.\n\n [0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:43.738Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d906d1b940b9dbf0a3e821d6b32a51c369273d91"
},
{
"url": "https://git.kernel.org/stable/c/7793fc3babe9fea908e57f7c187ea819f9fd7e95"
}
],
"title": "bpf: Make bpf_refcount_acquire fallible for non-owning refs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53645",
"datePublished": "2025-10-07T15:19:43.738Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:43.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53668 (GCVE-0-2023-53668)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Fix deadloop issue on reading trace_pipe
Soft lockup occurs when reading file 'trace_pipe':
watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488]
[...]
RIP: 0010:ring_buffer_empty_cpu+0xed/0x170
RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb
RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218
RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f
R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901
R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000
[...]
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__find_next_entry+0x1a8/0x4b0
? peek_next_entry+0x250/0x250
? down_write+0xa5/0x120
? down_write_killable+0x130/0x130
trace_find_next_entry_inc+0x3b/0x1d0
tracing_read_pipe+0x423/0xae0
? tracing_splice_read_pipe+0xcb0/0xcb0
vfs_read+0x16b/0x490
ksys_read+0x105/0x210
? __ia32_sys_pwrite64+0x200/0x200
? switch_fpu_return+0x108/0x220
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x61/0xc6
Through the vmcore, I found it's because in tracing_read_pipe(),
ring_buffer_empty_cpu() found some buffer is not empty but then it
cannot read anything due to "rb_num_of_entries() == 0" always true,
Then it infinitely loop the procedure due to user buffer not been
filled, see following code path:
tracing_read_pipe() {
... ...
waitagain:
tracing_wait_pipe() // 1. find non-empty buffer here
trace_find_next_entry_inc() // 2. loop here try to find an entry
__find_next_entry()
ring_buffer_empty_cpu(); // 3. find non-empty buffer
peek_next_entry() // 4. but peek always return NULL
ring_buffer_peek()
rb_buffer_peek()
rb_get_reader_page()
// 5. because rb_num_of_entries() == 0 always true here
// then return NULL
// 6. user buffer not been filled so goto 'waitgain'
// and eventually leads to an deadloop in kernel!!!
}
By some analyzing, I found that when resetting ringbuffer, the 'entries'
of its pages are not all cleared (see rb_reset_cpu()). Then when reducing
the ringbuffer, and if some reduced pages exist dirty 'entries' data, they
will be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which
cause wrong 'overrun' count and eventually cause the deadloop issue.
To fix it, we need to clear every pages in rb_reset_cpu().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a29dae5786d263016a9aceb1e56bf3fd4cc6fa0",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "a55e8a3596048c2f7b574049aeb1885b5abba1cc",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "e84829522fc72bb43556b31575731de0440ac0dd",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "5e68f1f3a20fe9b6bde018e353269fbfa289609c",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "bb14a93bccc92766b1d9302c6bcbea17d4bce306",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "8b0b63fdac6b70a45614e7d4b30e5bbb93deb007",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "27bdd93e44cc28dd9b94893fae146b83d4f5b31e",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "7e42907f3a7b4ce3a2d1757f6d78336984daf8f5",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix deadloop issue on reading trace_pipe\n\nSoft lockup occurs when reading file \u0027trace_pipe\u0027:\n\n watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488]\n [...]\n RIP: 0010:ring_buffer_empty_cpu+0xed/0x170\n RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb\n RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218\n RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f\n R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901\n R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000\n [...]\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n __find_next_entry+0x1a8/0x4b0\n ? peek_next_entry+0x250/0x250\n ? down_write+0xa5/0x120\n ? down_write_killable+0x130/0x130\n trace_find_next_entry_inc+0x3b/0x1d0\n tracing_read_pipe+0x423/0xae0\n ? tracing_splice_read_pipe+0xcb0/0xcb0\n vfs_read+0x16b/0x490\n ksys_read+0x105/0x210\n ? __ia32_sys_pwrite64+0x200/0x200\n ? switch_fpu_return+0x108/0x220\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThrough the vmcore, I found it\u0027s because in tracing_read_pipe(),\nring_buffer_empty_cpu() found some buffer is not empty but then it\ncannot read anything due to \"rb_num_of_entries() == 0\" always true,\nThen it infinitely loop the procedure due to user buffer not been\nfilled, see following code path:\n\n tracing_read_pipe() {\n ... ...\n waitagain:\n tracing_wait_pipe() // 1. find non-empty buffer here\n trace_find_next_entry_inc() // 2. loop here try to find an entry\n __find_next_entry()\n ring_buffer_empty_cpu(); // 3. find non-empty buffer\n peek_next_entry() // 4. but peek always return NULL\n ring_buffer_peek()\n rb_buffer_peek()\n rb_get_reader_page()\n // 5. because rb_num_of_entries() == 0 always true here\n // then return NULL\n // 6. user buffer not been filled so goto \u0027waitgain\u0027\n // and eventually leads to an deadloop in kernel!!!\n }\n\nBy some analyzing, I found that when resetting ringbuffer, the \u0027entries\u0027\nof its pages are not all cleared (see rb_reset_cpu()). Then when reducing\nthe ringbuffer, and if some reduced pages exist dirty \u0027entries\u0027 data, they\nwill be added into \u0027cpu_buffer-\u003eoverrun\u0027 (see rb_remove_pages()), which\ncause wrong \u0027overrun\u0027 count and eventually cause the deadloop issue.\n\nTo fix it, we need to clear every pages in rb_reset_cpu()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:26.164Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a29dae5786d263016a9aceb1e56bf3fd4cc6fa0"
},
{
"url": "https://git.kernel.org/stable/c/a55e8a3596048c2f7b574049aeb1885b5abba1cc"
},
{
"url": "https://git.kernel.org/stable/c/e84829522fc72bb43556b31575731de0440ac0dd"
},
{
"url": "https://git.kernel.org/stable/c/5e68f1f3a20fe9b6bde018e353269fbfa289609c"
},
{
"url": "https://git.kernel.org/stable/c/bb14a93bccc92766b1d9302c6bcbea17d4bce306"
},
{
"url": "https://git.kernel.org/stable/c/8b0b63fdac6b70a45614e7d4b30e5bbb93deb007"
},
{
"url": "https://git.kernel.org/stable/c/27bdd93e44cc28dd9b94893fae146b83d4f5b31e"
},
{
"url": "https://git.kernel.org/stable/c/7e42907f3a7b4ce3a2d1757f6d78336984daf8f5"
}
],
"title": "ring-buffer: Fix deadloop issue on reading trace_pipe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53668",
"datePublished": "2025-10-07T15:21:26.164Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:26.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3773 (GCVE-0-2023-3773)
Vulnerability from cvelistv5
Published
2023-07-25 15:47
Modified
2025-11-14 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected: 0:5.14.0-362.8.1.el9_3 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:enterprise_linux:9::nfv cpe:/a:redhat:enterprise_linux:9::realtime cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::crb |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:49.757Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3773"
},
{
"name": "RHBZ#2218944",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218944"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5492"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:33:27.598158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:47:25.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Lin Ma (ZJU \u0026 Ant Security Light-Year Lab) for reporting this issue."
}
],
"datePublic": "2023-07-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T14:21:06.184Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3773"
},
{
"name": "RHBZ#2218944",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218944"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-29T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-07-23T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: xfrm: out-of-bounds read of xfrma_mtimer_thresh nlattr",
"x_redhatCweChain": "CWE-125: Out-of-bounds Read"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-3773",
"datePublished": "2023-07-25T15:47:40.391Z",
"dateReserved": "2023-07-19T13:55:13.694Z",
"dateUpdated": "2025-11-14T14:21:06.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53648 (GCVE-0-2023-53648)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
smatch error:
sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:
we previously assumed 'rac97' could be null (see line 2072)
remove redundant assignment, return error if rac97 is NULL.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/ac97/ac97_codec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "809af7bb4219bdeef0dbb8b2ed700d6516d13fe9",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "e4cccff1e7ab6ea30995b6fbbb007d02647e025c",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "5f13d67027fa782096e6aee0db5dce61c4aeb613",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "f923a582217b198b557756809ffe42ac0fad6adb",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "300e26e3e64880de5013eac8831cf44387ef752c",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "d28b83252e150155b8b8c65b612c555e93c8b45f",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "09baf460dfba79ee6a0c72e68ccdbbba84d894df",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "228da1fa124470606ac19783e551f9d51a1e01b0",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "79597c8bf64ca99eab385115743131d260339da5",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/ac97/ac97_codec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer\n\nsmatch error:\nsound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:\nwe previously assumed \u0027rac97\u0027 could be null (see line 2072)\n\nremove redundant assignment, return error if rac97 is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:45.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/809af7bb4219bdeef0dbb8b2ed700d6516d13fe9"
},
{
"url": "https://git.kernel.org/stable/c/e4cccff1e7ab6ea30995b6fbbb007d02647e025c"
},
{
"url": "https://git.kernel.org/stable/c/5f13d67027fa782096e6aee0db5dce61c4aeb613"
},
{
"url": "https://git.kernel.org/stable/c/f923a582217b198b557756809ffe42ac0fad6adb"
},
{
"url": "https://git.kernel.org/stable/c/300e26e3e64880de5013eac8831cf44387ef752c"
},
{
"url": "https://git.kernel.org/stable/c/d28b83252e150155b8b8c65b612c555e93c8b45f"
},
{
"url": "https://git.kernel.org/stable/c/09baf460dfba79ee6a0c72e68ccdbbba84d894df"
},
{
"url": "https://git.kernel.org/stable/c/228da1fa124470606ac19783e551f9d51a1e01b0"
},
{
"url": "https://git.kernel.org/stable/c/79597c8bf64ca99eab385115743131d260339da5"
}
],
"title": "ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53648",
"datePublished": "2025-10-07T15:19:45.780Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:45.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50518 (GCVE-0-2022-50518)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Fix locking in pdc_iodc_print() firmware call
Utilize pdc_lock spinlock to protect parallel modifications of the
iodc_dbuf[] buffer, check length to prevent buffer overflow of
iodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong
indentings.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/parisc/kernel/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "04a603058e70b8b881bb7860b8bd649f931f2591",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "553bc5890ed96a8d006224c3a4673c47fee0d12a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7236aae5f81f3efbd93d0601e74fc05994bc2580",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/parisc/kernel/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix locking in pdc_iodc_print() firmware call\n\nUtilize pdc_lock spinlock to protect parallel modifications of the\niodc_dbuf[] buffer, check length to prevent buffer overflow of\niodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong\nindentings."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:13.040Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/04a603058e70b8b881bb7860b8bd649f931f2591"
},
{
"url": "https://git.kernel.org/stable/c/553bc5890ed96a8d006224c3a4673c47fee0d12a"
},
{
"url": "https://git.kernel.org/stable/c/7236aae5f81f3efbd93d0601e74fc05994bc2580"
}
],
"title": "parisc: Fix locking in pdc_iodc_print() firmware call",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50518",
"datePublished": "2025-10-07T15:19:13.040Z",
"dateReserved": "2025-10-07T15:15:38.662Z",
"dateUpdated": "2025-10-07T15:19:13.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53640 (GCVE-0-2023-53640)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-30 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: lpass: Fix for KASAN use_after_free out of bounds
When we run syzkaller we get below Out of Bounds error.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110
Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144
CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W
Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)
Call trace:
dump_backtrace+0x0/0x4ec
show_stack+0x34/0x50
dump_stack_lvl+0xdc/0x11c
print_address_description+0x30/0x2d8
kasan_report+0x178/0x1e4
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf8/0x5a0
_regmap_read+0x45c/0x86c
_regmap_update_bits+0x128/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_put_dec_enum+0x1d0/0x268
snd_ctl_elem_write+0x288/0x474
By Error checking and checking valid values issue gets rectifies.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-tx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f1512d78b5de928f4616a871e77b58fd546e651",
"status": "affected",
"version": "c39667ddcfc516fee084e449179d54430a558298",
"versionType": "git"
},
{
"lessThan": "8d81d3b0ed3610d24191d24f8e9e20f6775f0cc5",
"status": "affected",
"version": "c39667ddcfc516fee084e449179d54430a558298",
"versionType": "git"
},
{
"lessThan": "f5e61e3fe799ba2fda4320af23d26d28c3302045",
"status": "affected",
"version": "c39667ddcfc516fee084e449179d54430a558298",
"versionType": "git"
},
{
"lessThan": "75e5fab7db0cecb6e16b22c34608f0b40a4c7cd1",
"status": "affected",
"version": "c39667ddcfc516fee084e449179d54430a558298",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-tx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: lpass: Fix for KASAN use_after_free out of bounds\n\nWhen we run syzkaller we get below Out of Bounds error.\n\n\"KASAN: slab-out-of-bounds Read in regcache_flat_read\"\n\nBelow is the backtrace of the issue:\n\nBUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110\nRead of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144\nCPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W\nHardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)\nCall trace:\ndump_backtrace+0x0/0x4ec\nshow_stack+0x34/0x50\ndump_stack_lvl+0xdc/0x11c\nprint_address_description+0x30/0x2d8\nkasan_report+0x178/0x1e4\n__asan_report_load4_noabort+0x44/0x50\nregcache_flat_read+0x10c/0x110\nregcache_read+0xf8/0x5a0\n_regmap_read+0x45c/0x86c\n_regmap_update_bits+0x128/0x290\nregmap_update_bits_base+0xc0/0x15c\nsnd_soc_component_update_bits+0xa8/0x22c\nsnd_soc_component_write_field+0x68/0xd4\ntx_macro_put_dec_enum+0x1d0/0x268\nsnd_ctl_elem_write+0x288/0x474\n\nBy Error checking and checking valid values issue gets rectifies."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T19:33:06.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f1512d78b5de928f4616a871e77b58fd546e651"
},
{
"url": "https://git.kernel.org/stable/c/8d81d3b0ed3610d24191d24f8e9e20f6775f0cc5"
},
{
"url": "https://git.kernel.org/stable/c/f5e61e3fe799ba2fda4320af23d26d28c3302045"
},
{
"url": "https://git.kernel.org/stable/c/75e5fab7db0cecb6e16b22c34608f0b40a4c7cd1"
}
],
"title": "ASoC: lpass: Fix for KASAN use_after_free out of bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53640",
"datePublished": "2025-10-07T15:19:40.348Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-30T19:33:06.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50551 (GCVE-0-2022-50551)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
This patch fixes a shift-out-of-bounds in brcmfmac that occurs in
BIT(chiprev) when a 'chiprev' provided by the device is too large.
It should also not be equal to or greater than BITS_PER_TYPE(u32)
as we do bitwise AND with a u32 variable and BIT(chiprev). The patch
adds a check that makes the function return NULL if that is the case.
Note that the NULL case is later handled by the bus-specific caller,
brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.
Found by a modified version of syzkaller.
UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
shift exponent 151055786 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
ubsan_epilogue+0x5/0x40
__ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb
? lock_chain_count+0x20/0x20
brcmf_fw_alloc_request.cold+0x19/0x3ea
? brcmf_fw_get_firmwares+0x250/0x250
? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0
brcmf_usb_get_fwname+0x114/0x1a0
? brcmf_usb_reset_resume+0x120/0x120
? number+0x6c4/0x9a0
brcmf_c_process_clm_blob+0x168/0x590
? put_dec+0x90/0x90
? enable_ptr_key_workfn+0x20/0x20
? brcmf_common_pd_remove+0x50/0x50
? rcu_read_lock_sched_held+0xa1/0xd0
brcmf_c_preinit_dcmds+0x673/0xc40
? brcmf_c_set_joinpref_default+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lock_acquire+0x19d/0x4e0
? find_held_lock+0x2d/0x110
? brcmf_usb_deq+0x1cc/0x260
? mark_held_locks+0x9f/0xe0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? _raw_spin_unlock_irqrestore+0x47/0x50
? trace_hardirqs_on+0x1c/0x120
? brcmf_usb_deq+0x1a7/0x260
? brcmf_usb_rx_fill_all+0x5a/0xf0
brcmf_attach+0x246/0xd40
? wiphy_new_nm+0x1476/0x1d50
? kmemdup+0x30/0x40
brcmf_usb_probe+0x12de/0x1690
? brcmf_usbdev_qinit.constprop.0+0x470/0x470
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
? usb_match_id.part.0+0x88/0xc0
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __mutex_unlock_slowpath+0xe7/0x660
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_set_configuration+0x984/0x1770
? kernfs_create_link+0x175/0x230
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_new_device.cold+0x463/0xf66
? hub_disconnect+0x400/0x400
? _raw_spin_unlock_irq+0x24/0x30
hub_event+0x10d5/0x3330
? hub_port_debounce+0x280/0x280
? __lock_acquire+0x1671/0x5790
? wq_calc_node_cpumask+0x170/0x2a0
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x873/0x13e0
? lock_release+0x640/0x640
? pwq_dec_nr_in_flight+0x320/0x320
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x8b/0xd10
? __kthread_parkme+0xd9/0x1d0
? pr
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1db036d13e10809943c2dce553e2fa7fc9c6cd80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bc45aa1911bf699b9905f12414e3c1879d6b784f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c8fc44c44b97854623c56363c359f711fc0b887",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d2f70fa2c7cc6c73a420ff15682454782d3d6f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b06a8a25eba07628313aa3c5496522eff97be53",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "87792567d9ed93fd336d2c3b8d7870f44e141e6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b12d2aa264bac35bff9b5399bb162262b2b8949",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "579c9b9838e8a73f6e93ddece07972c241514dcc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffb589963df103caaf062081a32db0b9e1798660",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "81d17f6f3331f03c8eafdacea68ab773426c1e3c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()\n\nThis patch fixes a shift-out-of-bounds in brcmfmac that occurs in\nBIT(chiprev) when a \u0027chiprev\u0027 provided by the device is too large.\nIt should also not be equal to or greater than BITS_PER_TYPE(u32)\nas we do bitwise AND with a u32 variable and BIT(chiprev). The patch\nadds a check that makes the function return NULL if that is the case.\nNote that the NULL case is later handled by the bus-specific caller,\nbrcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.\n\nFound by a modified version of syzkaller.\n\nUBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c\nshift exponent 151055786 is too large for 64-bit type \u0027long unsigned int\u0027\nCPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb\n ? lock_chain_count+0x20/0x20\n brcmf_fw_alloc_request.cold+0x19/0x3ea\n ? brcmf_fw_get_firmwares+0x250/0x250\n ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0\n brcmf_usb_get_fwname+0x114/0x1a0\n ? brcmf_usb_reset_resume+0x120/0x120\n ? number+0x6c4/0x9a0\n brcmf_c_process_clm_blob+0x168/0x590\n ? put_dec+0x90/0x90\n ? enable_ptr_key_workfn+0x20/0x20\n ? brcmf_common_pd_remove+0x50/0x50\n ? rcu_read_lock_sched_held+0xa1/0xd0\n brcmf_c_preinit_dcmds+0x673/0xc40\n ? brcmf_c_set_joinpref_default+0x100/0x100\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lock_acquire+0x19d/0x4e0\n ? find_held_lock+0x2d/0x110\n ? brcmf_usb_deq+0x1cc/0x260\n ? mark_held_locks+0x9f/0xe0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? _raw_spin_unlock_irqrestore+0x47/0x50\n ? trace_hardirqs_on+0x1c/0x120\n ? brcmf_usb_deq+0x1a7/0x260\n ? brcmf_usb_rx_fill_all+0x5a/0xf0\n brcmf_attach+0x246/0xd40\n ? wiphy_new_nm+0x1476/0x1d50\n ? kmemdup+0x30/0x40\n brcmf_usb_probe+0x12de/0x1690\n ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n ? usb_match_id.part.0+0x88/0xc0\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __mutex_unlock_slowpath+0xe7/0x660\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_set_configuration+0x984/0x1770\n ? kernfs_create_link+0x175/0x230\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_new_device.cold+0x463/0xf66\n ? hub_disconnect+0x400/0x400\n ? _raw_spin_unlock_irq+0x24/0x30\n hub_event+0x10d5/0x3330\n ? hub_port_debounce+0x280/0x280\n ? __lock_acquire+0x1671/0x5790\n ? wq_calc_node_cpumask+0x170/0x2a0\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x873/0x13e0\n ? lock_release+0x640/0x640\n ? pwq_dec_nr_in_flight+0x320/0x320\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x8b/0xd10\n ? __kthread_parkme+0xd9/0x1d0\n ? pr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:13.391Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1db036d13e10809943c2dce553e2fa7fc9c6cd80"
},
{
"url": "https://git.kernel.org/stable/c/bc45aa1911bf699b9905f12414e3c1879d6b784f"
},
{
"url": "https://git.kernel.org/stable/c/4c8fc44c44b97854623c56363c359f711fc0b887"
},
{
"url": "https://git.kernel.org/stable/c/9d2f70fa2c7cc6c73a420ff15682454782d3d6f6"
},
{
"url": "https://git.kernel.org/stable/c/5b06a8a25eba07628313aa3c5496522eff97be53"
},
{
"url": "https://git.kernel.org/stable/c/87792567d9ed93fd336d2c3b8d7870f44e141e6d"
},
{
"url": "https://git.kernel.org/stable/c/0b12d2aa264bac35bff9b5399bb162262b2b8949"
},
{
"url": "https://git.kernel.org/stable/c/579c9b9838e8a73f6e93ddece07972c241514dcc"
},
{
"url": "https://git.kernel.org/stable/c/ffb589963df103caaf062081a32db0b9e1798660"
},
{
"url": "https://git.kernel.org/stable/c/81d17f6f3331f03c8eafdacea68ab773426c1e3c"
}
],
"title": "wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50551",
"datePublished": "2025-10-07T15:21:13.391Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-10-07T15:21:13.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50546 (GCVE-0-2022-50546)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix uninititialized value in 'ext4_evict_inode'
Syzbot found the following issue:
=====================================================
BUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180
ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180
evict+0x365/0x9a0 fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x985/0xdd0 fs/inode.c:1773
__ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361
ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844
vfs_mknod+0x79d/0x830 fs/namei.c:3914
do_mknodat+0x47d/0xaa0
__do_sys_mknodat fs/namei.c:3992 [inline]
__se_sys_mknodat fs/namei.c:3989 [inline]
__ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
Uninit was created at:
__alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578
alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x1b5/0x1010 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429
alloc_inode_sb include/linux/fs.h:3117 [inline]
ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321
alloc_inode+0x83/0x440 fs/inode.c:259
new_inode_pseudo fs/inode.c:1018 [inline]
new_inode+0x3b/0x430 fs/inode.c:1046
__ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959
ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992
vfs_mkdir+0x62a/0x870 fs/namei.c:4035
do_mkdirat+0x466/0x7b0 fs/namei.c:4060
__do_sys_mkdirat fs/namei.c:4075 [inline]
__se_sys_mkdirat fs/namei.c:4073 [inline]
__ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
CPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
=====================================================
Now, 'ext4_alloc_inode()' didn't init 'ei->i_flags'. If new inode failed
before set 'ei->i_flags' in '__ext4_new_inode()', then do 'iput()'. As after
6bc0d63dad7f commit will access 'ei->i_flags' in 'ext4_evict_inode()' which
will lead to access uninit-value.
To solve above issue just init 'ei->i_flags' in 'ext4_alloc_inode()'.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bb337d8dd1e1d6b7719872e45e36392f3ab14b4f Version: a5f9bd4beae8553480d02b569d4aabee1b49345d Version: 0e6fbc566fcc4c230bf80f76cf5df26b42142d8a Version: 0b885394fd009aa0b46d81b496a816ab11309f8a Version: 6bc0d63dad7f9f54d381925ee855b402f652fa39 Version: 6bc0d63dad7f9f54d381925ee855b402f652fa39 Version: 6bc0d63dad7f9f54d381925ee855b402f652fa39 Version: 819d16f7feaca0f2ed3409be14fe953127fc51b6 Version: 458aee4a6e5be7ad862ee27dfaf07ce552d84f32 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f0bffdcc7cb14598af2aa706f1e0f2a9054154ba",
"status": "affected",
"version": "bb337d8dd1e1d6b7719872e45e36392f3ab14b4f",
"versionType": "git"
},
{
"lessThan": "e431b4fb1fb8c2654b808086e9747a000adb9655",
"status": "affected",
"version": "a5f9bd4beae8553480d02b569d4aabee1b49345d",
"versionType": "git"
},
{
"lessThan": "091f85db4c3fb1734a6d7fb4777a2b2831da6631",
"status": "affected",
"version": "0e6fbc566fcc4c230bf80f76cf5df26b42142d8a",
"versionType": "git"
},
{
"lessThan": "3c31d8d3ad95aef8cc17a4fcf317e46217148439",
"status": "affected",
"version": "0b885394fd009aa0b46d81b496a816ab11309f8a",
"versionType": "git"
},
{
"lessThan": "56491d60ddca9c697d885394cb0173675b9ab81f",
"status": "affected",
"version": "6bc0d63dad7f9f54d381925ee855b402f652fa39",
"versionType": "git"
},
{
"lessThan": "9f966e021c20caae639dd0e404c8761e8281a2c4",
"status": "affected",
"version": "6bc0d63dad7f9f54d381925ee855b402f652fa39",
"versionType": "git"
},
{
"lessThan": "7ea71af94eaaaf6d9aed24bc94a05b977a741cb9",
"status": "affected",
"version": "6bc0d63dad7f9f54d381925ee855b402f652fa39",
"versionType": "git"
},
{
"status": "affected",
"version": "819d16f7feaca0f2ed3409be14fe953127fc51b6",
"versionType": "git"
},
{
"status": "affected",
"version": "458aee4a6e5be7ad862ee27dfaf07ce552d84f32",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.164",
"versionStartIncluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninititialized value in \u0027ext4_evict_inode\u0027\n\nSyzbot found the following issue:\n=====================================================\nBUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180\n ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180\n evict+0x365/0x9a0 fs/inode.c:664\n iput_final fs/inode.c:1747 [inline]\n iput+0x985/0xdd0 fs/inode.c:1773\n __ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361\n ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844\n vfs_mknod+0x79d/0x830 fs/namei.c:3914\n do_mknodat+0x47d/0xaa0\n __do_sys_mknodat fs/namei.c:3992 [inline]\n __se_sys_mknodat fs/namei.c:3989 [inline]\n __ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n __alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578\n alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285\n alloc_slab_page mm/slub.c:1794 [inline]\n allocate_slab+0x1b5/0x1010 mm/slub.c:1939\n new_slab mm/slub.c:1992 [inline]\n ___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180\n __slab_alloc mm/slub.c:3279 [inline]\n slab_alloc_node mm/slub.c:3364 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429\n alloc_inode_sb include/linux/fs.h:3117 [inline]\n ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321\n alloc_inode+0x83/0x440 fs/inode.c:259\n new_inode_pseudo fs/inode.c:1018 [inline]\n new_inode+0x3b/0x430 fs/inode.c:1046\n __ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959\n ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992\n vfs_mkdir+0x62a/0x870 fs/namei.c:4035\n do_mkdirat+0x466/0x7b0 fs/namei.c:4060\n __do_sys_mkdirat fs/namei.c:4075 [inline]\n __se_sys_mkdirat fs/namei.c:4073 [inline]\n __ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nCPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n=====================================================\n\nNow, \u0027ext4_alloc_inode()\u0027 didn\u0027t init \u0027ei-\u003ei_flags\u0027. If new inode failed\nbefore set \u0027ei-\u003ei_flags\u0027 in \u0027__ext4_new_inode()\u0027, then do \u0027iput()\u0027. As after\n6bc0d63dad7f commit will access \u0027ei-\u003ei_flags\u0027 in \u0027ext4_evict_inode()\u0027 which\nwill lead to access uninit-value.\nTo solve above issue just init \u0027ei-\u003ei_flags\u0027 in \u0027ext4_alloc_inode()\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:09.963Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f0bffdcc7cb14598af2aa706f1e0f2a9054154ba"
},
{
"url": "https://git.kernel.org/stable/c/e431b4fb1fb8c2654b808086e9747a000adb9655"
},
{
"url": "https://git.kernel.org/stable/c/091f85db4c3fb1734a6d7fb4777a2b2831da6631"
},
{
"url": "https://git.kernel.org/stable/c/3c31d8d3ad95aef8cc17a4fcf317e46217148439"
},
{
"url": "https://git.kernel.org/stable/c/56491d60ddca9c697d885394cb0173675b9ab81f"
},
{
"url": "https://git.kernel.org/stable/c/9f966e021c20caae639dd0e404c8761e8281a2c4"
},
{
"url": "https://git.kernel.org/stable/c/7ea71af94eaaaf6d9aed24bc94a05b977a741cb9"
}
],
"title": "ext4: fix uninititialized value in \u0027ext4_evict_inode\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50546",
"datePublished": "2025-10-07T15:21:09.963Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:09.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53672 (GCVE-0-2023-53672)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: output extra debug info if we failed to find an inline backref
[BUG]
Syzbot reported several warning triggered inside
lookup_inline_extent_backref().
[CAUSE]
As usual, the reproducer doesn't reliably trigger locally here, but at
least we know the WARN_ON() is triggered when an inline backref can not
be found, and it can only be triggered when @insert is true. (I.e.
inserting a new inline backref, which means the backref should already
exist)
[ENHANCEMENT]
After the WARN_ON(), dump all the parameters and the extent tree
leaf to help debug.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "376b41524b71e494514720bd6114325b0a2ed19c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "400e08a16604b534fdd82c5a288fa150d04f5f79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7afbfde45d665953b4d5a42a721e15bf0315d89b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b7c3cf2f6c42e6688b1c37215a0b1663f982f915",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6994f806c6d1ae8b59344d3700358547f3b3fe1d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "28062cd6eda04035d8f6ded2001292ac8b496149",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e70ba449b04b40584bdabb383d10455397cbf177",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f72f50547b7af4ddf985b07fc56600a4deba281",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: output extra debug info if we failed to find an inline backref\n\n[BUG]\nSyzbot reported several warning triggered inside\nlookup_inline_extent_backref().\n\n[CAUSE]\nAs usual, the reproducer doesn\u0027t reliably trigger locally here, but at\nleast we know the WARN_ON() is triggered when an inline backref can not\nbe found, and it can only be triggered when @insert is true. (I.e.\ninserting a new inline backref, which means the backref should already\nexist)\n\n[ENHANCEMENT]\nAfter the WARN_ON(), dump all the parameters and the extent tree\nleaf to help debug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:28.975Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/376b41524b71e494514720bd6114325b0a2ed19c"
},
{
"url": "https://git.kernel.org/stable/c/400e08a16604b534fdd82c5a288fa150d04f5f79"
},
{
"url": "https://git.kernel.org/stable/c/7afbfde45d665953b4d5a42a721e15bf0315d89b"
},
{
"url": "https://git.kernel.org/stable/c/b7c3cf2f6c42e6688b1c37215a0b1663f982f915"
},
{
"url": "https://git.kernel.org/stable/c/6994f806c6d1ae8b59344d3700358547f3b3fe1d"
},
{
"url": "https://git.kernel.org/stable/c/28062cd6eda04035d8f6ded2001292ac8b496149"
},
{
"url": "https://git.kernel.org/stable/c/e70ba449b04b40584bdabb383d10455397cbf177"
},
{
"url": "https://git.kernel.org/stable/c/7f72f50547b7af4ddf985b07fc56600a4deba281"
}
],
"title": "btrfs: output extra debug info if we failed to find an inline backref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53672",
"datePublished": "2025-10-07T15:21:28.975Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:28.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50545 (GCVE-0-2022-50545)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
r6040: Fix kmemleak in probe and remove
There is a memory leaks reported by kmemleak:
unreferenced object 0xffff888116111000 (size 2048):
comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s)
hex dump (first 32 bytes):
00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................
08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff827e20ee>] phy_device_create+0x4e/0x90
[<ffffffff827e6072>] get_phy_device+0xd2/0x220
[<ffffffff827e7844>] mdiobus_scan+0xa4/0x2e0
[<ffffffff827e8be2>] __mdiobus_register+0x482/0x8b0
[<ffffffffa01f5d24>] r6040_init_one+0x714/0xd2c [r6040]
...
The problem occurs in probe process as follows:
r6040_init_one:
mdiobus_register
mdiobus_scan <- alloc and register phy_device,
the reference count of phy_device is 3
r6040_mii_probe
phy_connect <- connect to the first phy_device,
so the reference count of the first
phy_device is 4, others are 3
register_netdev <- fault inject succeeded, goto error handling path
// error handling path
err_out_mdio_unregister:
mdiobus_unregister(lp->mii_bus);
err_out_mdio:
mdiobus_free(lp->mii_bus); <- the reference count of the first
phy_device is 1, it is not released
and other phy_devices are released
// similarly, the remove process also has the same problem
The root cause is traced to the phy_device is not disconnected when
removes one r6040 device in r6040_remove_one() or on error handling path
after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet
device is connected to the first PHY device of mii_bus, in order to
notify the connected driver when the link status changes, which is the
default behavior of the PHY infrastructure to handle everything.
Therefore the phy_device should be disconnected when removes one r6040
device or on error handling path.
Fix it by adding phy_disconnect() when removes one r6040 device or on
error handling path after r6040_mii probed successfully.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rdc/r6040.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a04707f4596952049da05756c27398c34d9a1d36",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "b4448816e6a565e08236a6009c6bf48c6836cdfd",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "2ce242e1b9ad31c1f68496b3548e407a8cb2c07d",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "b0a61359026b57a287a48fbb4ba1d097023eca3e",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "3d5f83a62e8235d235534b3dc6f197d8a822c269",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "9b5b50329e2e966831a7237dd6949e7b5362a49a",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "ad2c8f25457ca9a81e7e958148cbc26600ce3071",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "5944c25c67de54e0aa53623e1e1af3bf8b16ed44",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "7e43039a49c2da45edc1d9d7c9ede4003ab45a5f",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rdc/r6040.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nr6040: Fix kmemleak in probe and remove\n\nThere is a memory leaks reported by kmemleak:\n\n unreferenced object 0xffff888116111000 (size 2048):\n comm \"modprobe\", pid 817, jiffies 4294759745 (age 76.502s)\n hex dump (first 32 bytes):\n 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................\n 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff815bcd82\u003e] kmalloc_trace+0x22/0x60\n [\u003cffffffff827e20ee\u003e] phy_device_create+0x4e/0x90\n [\u003cffffffff827e6072\u003e] get_phy_device+0xd2/0x220\n [\u003cffffffff827e7844\u003e] mdiobus_scan+0xa4/0x2e0\n [\u003cffffffff827e8be2\u003e] __mdiobus_register+0x482/0x8b0\n [\u003cffffffffa01f5d24\u003e] r6040_init_one+0x714/0xd2c [r6040]\n ...\n\nThe problem occurs in probe process as follows:\n r6040_init_one:\n mdiobus_register\n mdiobus_scan \u003c- alloc and register phy_device,\n the reference count of phy_device is 3\n r6040_mii_probe\n phy_connect \u003c- connect to the first phy_device,\n so the reference count of the first\n phy_device is 4, others are 3\n register_netdev \u003c- fault inject succeeded, goto error handling path\n\n // error handling path\n err_out_mdio_unregister:\n mdiobus_unregister(lp-\u003emii_bus);\n err_out_mdio:\n mdiobus_free(lp-\u003emii_bus); \u003c- the reference count of the first\n phy_device is 1, it is not released\n and other phy_devices are released\n // similarly, the remove process also has the same problem\n\nThe root cause is traced to the phy_device is not disconnected when\nremoves one r6040 device in r6040_remove_one() or on error handling path\nafter r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet\ndevice is connected to the first PHY device of mii_bus, in order to\nnotify the connected driver when the link status changes, which is the\ndefault behavior of the PHY infrastructure to handle everything.\nTherefore the phy_device should be disconnected when removes one r6040\ndevice or on error handling path.\n\nFix it by adding phy_disconnect() when removes one r6040 device or on\nerror handling path after r6040_mii probed successfully."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:09.288Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a04707f4596952049da05756c27398c34d9a1d36"
},
{
"url": "https://git.kernel.org/stable/c/b4448816e6a565e08236a6009c6bf48c6836cdfd"
},
{
"url": "https://git.kernel.org/stable/c/2ce242e1b9ad31c1f68496b3548e407a8cb2c07d"
},
{
"url": "https://git.kernel.org/stable/c/b0a61359026b57a287a48fbb4ba1d097023eca3e"
},
{
"url": "https://git.kernel.org/stable/c/3d5f83a62e8235d235534b3dc6f197d8a822c269"
},
{
"url": "https://git.kernel.org/stable/c/9b5b50329e2e966831a7237dd6949e7b5362a49a"
},
{
"url": "https://git.kernel.org/stable/c/ad2c8f25457ca9a81e7e958148cbc26600ce3071"
},
{
"url": "https://git.kernel.org/stable/c/5944c25c67de54e0aa53623e1e1af3bf8b16ed44"
},
{
"url": "https://git.kernel.org/stable/c/7e43039a49c2da45edc1d9d7c9ede4003ab45a5f"
}
],
"title": "r6040: Fix kmemleak in probe and remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50545",
"datePublished": "2025-10-07T15:21:09.288Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:09.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50552 (GCVE-0-2022-50552)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: use quiesced elevator switch when reinitializing queues
The hctx's run_work may be racing with the elevator switch when
reinitializing hardware queues. The queue is merely frozen in this
context, but that only prevents requests from allocating and doesn't
stop the hctx work from running. The work may get an elevator pointer
that's being torn down, and can result in use-after-free errors and
kernel panics (example below). Use the quiesced elevator switch instead,
and make the previous one static since it is now only used locally.
nvme nvme0: resetting controller
nvme nvme0: 32/0/0 default/read/poll queues
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0
Oops: 0000 [#1] SMP PTI
Workqueue: kblockd blk_mq_run_work_fn
RIP: 0010:kyber_has_work+0x29/0x70
...
Call Trace:
__blk_mq_do_dispatch_sched+0x83/0x2b0
__blk_mq_sched_dispatch_requests+0x12e/0x170
blk_mq_sched_dispatch_requests+0x30/0x60
__blk_mq_run_hw_queue+0x2b/0x50
process_one_work+0x1ef/0x380
worker_thread+0x2d/0x3e0
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c",
"block/blk.h",
"block/elevator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63a681bcc32a43528ce0f690569f7f48e59c3963",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c478b3b2900f1834cf9eda5bfef0d5696099505d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8237c01f1696bc53c470493bf1fe092a107648a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c",
"block/blk.h",
"block/elevator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: use quiesced elevator switch when reinitializing queues\n\nThe hctx\u0027s run_work may be racing with the elevator switch when\nreinitializing hardware queues. The queue is merely frozen in this\ncontext, but that only prevents requests from allocating and doesn\u0027t\nstop the hctx work from running. The work may get an elevator pointer\nthat\u0027s being torn down, and can result in use-after-free errors and\nkernel panics (example below). Use the quiesced elevator switch instead,\nand make the previous one static since it is now only used locally.\n\n nvme nvme0: resetting controller\n nvme nvme0: 32/0/0 default/read/poll queues\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0\n Oops: 0000 [#1] SMP PTI\n Workqueue: kblockd blk_mq_run_work_fn\n RIP: 0010:kyber_has_work+0x29/0x70\n\n...\n\n Call Trace:\n __blk_mq_do_dispatch_sched+0x83/0x2b0\n __blk_mq_sched_dispatch_requests+0x12e/0x170\n blk_mq_sched_dispatch_requests+0x30/0x60\n __blk_mq_run_hw_queue+0x2b/0x50\n process_one_work+0x1ef/0x380\n worker_thread+0x2d/0x3e0"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:14.060Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63a681bcc32a43528ce0f690569f7f48e59c3963"
},
{
"url": "https://git.kernel.org/stable/c/c478b3b2900f1834cf9eda5bfef0d5696099505d"
},
{
"url": "https://git.kernel.org/stable/c/8237c01f1696bc53c470493bf1fe092a107648a6"
}
],
"title": "blk-mq: use quiesced elevator switch when reinitializing queues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50552",
"datePublished": "2025-10-07T15:21:14.060Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-10-07T15:21:14.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50554 (GCVE-0-2022-50554)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: avoid double ->queue_rq() because of early timeout
David Jeffery found one double ->queue_rq() issue, so far it can
be triggered in VM use case because of long vmexit latency or preempt
latency of vCPU pthread or long page fault in vCPU pthread, then block
IO req could be timed out before queuing the request to hardware but after
calling blk_mq_start_request() during ->queue_rq(), then timeout handler
may handle it by requeue, then double ->queue_rq() is caused, and kernel
panic.
So far, it is driver's responsibility to cover the race between timeout
and completion, so it seems supposed to be solved in driver in theory,
given driver has enough knowledge.
But it is really one common problem, lots of driver could have similar
issue, and could be hard to fix all affected drivers, even it isn't easy
for driver to handle the race. So David suggests this patch by draining
in-progress ->queue_rq() for solving this issue.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a73c54a3750895888ab586896736c9434e062a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8b3d6b029a552d2978bbac275303d11419826a69",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82c229476b8f6afd7e09bc4dc77d89dc19ff7688",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: avoid double -\u003equeue_rq() because of early timeout\n\nDavid Jeffery found one double -\u003equeue_rq() issue, so far it can\nbe triggered in VM use case because of long vmexit latency or preempt\nlatency of vCPU pthread or long page fault in vCPU pthread, then block\nIO req could be timed out before queuing the request to hardware but after\ncalling blk_mq_start_request() during -\u003equeue_rq(), then timeout handler\nmay handle it by requeue, then double -\u003equeue_rq() is caused, and kernel\npanic.\n\nSo far, it is driver\u0027s responsibility to cover the race between timeout\nand completion, so it seems supposed to be solved in driver in theory,\ngiven driver has enough knowledge.\n\nBut it is really one common problem, lots of driver could have similar\nissue, and could be hard to fix all affected drivers, even it isn\u0027t easy\nfor driver to handle the race. So David suggests this patch by draining\nin-progress -\u003equeue_rq() for solving this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:15.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a73c54a3750895888ab586896736c9434e062a1"
},
{
"url": "https://git.kernel.org/stable/c/8b3d6b029a552d2978bbac275303d11419826a69"
},
{
"url": "https://git.kernel.org/stable/c/82c229476b8f6afd7e09bc4dc77d89dc19ff7688"
}
],
"title": "blk-mq: avoid double -\u003equeue_rq() because of early timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50554",
"datePublished": "2025-10-07T15:21:15.438Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-10-07T15:21:15.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53671 (GCVE-0-2023-53671)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
srcu: Delegate work to the boot cpu if using SRCU_SIZE_SMALL
Commit 994f706872e6 ("srcu: Make Tree SRCU able to operate without
snp_node array") assumes that cpu 0 is always online. However, there
really are situations when some other CPU is the boot CPU, for example,
when booting a kdump kernel with the maxcpus=1 boot parameter.
On PowerPC, the kdump kernel can hang as follows:
...
[ 1.740036] systemd[1]: Hostname set to <xyz.com>
[ 243.686240] INFO: task systemd:1 blocked for more than 122 seconds.
[ 243.686264] Not tainted 6.1.0-rc1 #1
[ 243.686272] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 243.686281] task:systemd state:D stack:0 pid:1 ppid:0 flags:0x00042000
[ 243.686296] Call Trace:
[ 243.686301] [c000000016657640] [c000000016657670] 0xc000000016657670 (unreliable)
[ 243.686317] [c000000016657830] [c00000001001dec0] __switch_to+0x130/0x220
[ 243.686333] [c000000016657890] [c000000010f607b8] __schedule+0x1f8/0x580
[ 243.686347] [c000000016657940] [c000000010f60bb4] schedule+0x74/0x140
[ 243.686361] [c0000000166579b0] [c000000010f699b8] schedule_timeout+0x168/0x1c0
[ 243.686374] [c000000016657a80] [c000000010f61de8] __wait_for_common+0x148/0x360
[ 243.686387] [c000000016657b20] [c000000010176bb0] __flush_work.isra.0+0x1c0/0x3d0
[ 243.686401] [c000000016657bb0] [c0000000105f2768] fsnotify_wait_marks_destroyed+0x28/0x40
[ 243.686415] [c000000016657bd0] [c0000000105f21b8] fsnotify_destroy_group+0x68/0x160
[ 243.686428] [c000000016657c40] [c0000000105f6500] inotify_release+0x30/0xa0
[ 243.686440] [c000000016657cb0] [c0000000105751a8] __fput+0xc8/0x350
[ 243.686452] [c000000016657d00] [c00000001017d524] task_work_run+0xe4/0x170
[ 243.686464] [c000000016657d50] [c000000010020e94] do_notify_resume+0x134/0x140
[ 243.686478] [c000000016657d80] [c00000001002eb18] interrupt_exit_user_prepare_main+0x198/0x270
[ 243.686493] [c000000016657de0] [c00000001002ec60] syscall_exit_prepare+0x70/0x180
[ 243.686505] [c000000016657e10] [c00000001000bf7c] system_call_vectored_common+0xfc/0x280
[ 243.686520] --- interrupt: 3000 at 0x7fffa47d5ba4
[ 243.686528] NIP: 00007fffa47d5ba4 LR: 0000000000000000 CTR: 0000000000000000
[ 243.686538] REGS: c000000016657e80 TRAP: 3000 Not tainted (6.1.0-rc1)
[ 243.686548] MSR: 800000000000d033 <SF,EE,PR,ME,IR,DR,RI,LE> CR: 42044440 XER: 00000000
[ 243.686572] IRQMASK: 0
[ 243.686572] GPR00: 0000000000000006 00007ffffa606710 00007fffa48e7200 0000000000000000
[ 243.686572] GPR04: 0000000000000002 000000000000000a 0000000000000000 0000000000000001
[ 243.686572] GPR08: 000001000c172dd0 0000000000000000 0000000000000000 0000000000000000
[ 243.686572] GPR12: 0000000000000000 00007fffa4ff4bc0 0000000000000000 0000000000000000
[ 243.686572] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 243.686572] GPR20: 0000000132dfdc50 000000000000000e 0000000000189375 0000000000000000
[ 243.686572] GPR24: 00007ffffa606ae0 0000000000000005 000001000c185490 000001000c172570
[ 243.686572] GPR28: 000001000c172990 000001000c184850 000001000c172e00 00007fffa4fedd98
[ 243.686683] NIP [00007fffa47d5ba4] 0x7fffa47d5ba4
[ 243.686691] LR [0000000000000000] 0x0
[ 243.686698] --- interrupt: 3000
[ 243.686708] INFO: task kworker/u16:1:24 blocked for more than 122 seconds.
[ 243.686717] Not tainted 6.1.0-rc1 #1
[ 243.686724] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 243.686733] task:kworker/u16:1 state:D stack:0 pid:24 ppid:2 flags:0x00000800
[ 243.686747] Workqueue: events_unbound fsnotify_mark_destroy_workfn
[ 243.686758] Call Trace:
[ 243.686762] [c0000000166736e0] [c00000004fd91000] 0xc00000004fd91000 (unreliable)
[ 243.686775] [c0000000166738d0] [c00000001001dec0] __switch_to+0x130/0x220
[ 243.686788] [c000000016673930] [c000000010f607b8] __schedule+0x1f8/0x
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/srcutree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c4d26dad76eadaa45a24543e311e9ce5d09f04e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c7c0bc03fa44942fe0fdc5ac52cda6e11529c0ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f24626d6dd844bfc6d1f492d214d29c86d02550",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/srcutree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsrcu: Delegate work to the boot cpu if using SRCU_SIZE_SMALL\n\nCommit 994f706872e6 (\"srcu: Make Tree SRCU able to operate without\nsnp_node array\") assumes that cpu 0 is always online. However, there\nreally are situations when some other CPU is the boot CPU, for example,\nwhen booting a kdump kernel with the maxcpus=1 boot parameter.\n\nOn PowerPC, the kdump kernel can hang as follows:\n...\n[ 1.740036] systemd[1]: Hostname set to \u003cxyz.com\u003e\n[ 243.686240] INFO: task systemd:1 blocked for more than 122 seconds.\n[ 243.686264] Not tainted 6.1.0-rc1 #1\n[ 243.686272] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 243.686281] task:systemd state:D stack:0 pid:1 ppid:0 flags:0x00042000\n[ 243.686296] Call Trace:\n[ 243.686301] [c000000016657640] [c000000016657670] 0xc000000016657670 (unreliable)\n[ 243.686317] [c000000016657830] [c00000001001dec0] __switch_to+0x130/0x220\n[ 243.686333] [c000000016657890] [c000000010f607b8] __schedule+0x1f8/0x580\n[ 243.686347] [c000000016657940] [c000000010f60bb4] schedule+0x74/0x140\n[ 243.686361] [c0000000166579b0] [c000000010f699b8] schedule_timeout+0x168/0x1c0\n[ 243.686374] [c000000016657a80] [c000000010f61de8] __wait_for_common+0x148/0x360\n[ 243.686387] [c000000016657b20] [c000000010176bb0] __flush_work.isra.0+0x1c0/0x3d0\n[ 243.686401] [c000000016657bb0] [c0000000105f2768] fsnotify_wait_marks_destroyed+0x28/0x40\n[ 243.686415] [c000000016657bd0] [c0000000105f21b8] fsnotify_destroy_group+0x68/0x160\n[ 243.686428] [c000000016657c40] [c0000000105f6500] inotify_release+0x30/0xa0\n[ 243.686440] [c000000016657cb0] [c0000000105751a8] __fput+0xc8/0x350\n[ 243.686452] [c000000016657d00] [c00000001017d524] task_work_run+0xe4/0x170\n[ 243.686464] [c000000016657d50] [c000000010020e94] do_notify_resume+0x134/0x140\n[ 243.686478] [c000000016657d80] [c00000001002eb18] interrupt_exit_user_prepare_main+0x198/0x270\n[ 243.686493] [c000000016657de0] [c00000001002ec60] syscall_exit_prepare+0x70/0x180\n[ 243.686505] [c000000016657e10] [c00000001000bf7c] system_call_vectored_common+0xfc/0x280\n[ 243.686520] --- interrupt: 3000 at 0x7fffa47d5ba4\n[ 243.686528] NIP: 00007fffa47d5ba4 LR: 0000000000000000 CTR: 0000000000000000\n[ 243.686538] REGS: c000000016657e80 TRAP: 3000 Not tainted (6.1.0-rc1)\n[ 243.686548] MSR: 800000000000d033 \u003cSF,EE,PR,ME,IR,DR,RI,LE\u003e CR: 42044440 XER: 00000000\n[ 243.686572] IRQMASK: 0\n[ 243.686572] GPR00: 0000000000000006 00007ffffa606710 00007fffa48e7200 0000000000000000\n[ 243.686572] GPR04: 0000000000000002 000000000000000a 0000000000000000 0000000000000001\n[ 243.686572] GPR08: 000001000c172dd0 0000000000000000 0000000000000000 0000000000000000\n[ 243.686572] GPR12: 0000000000000000 00007fffa4ff4bc0 0000000000000000 0000000000000000\n[ 243.686572] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[ 243.686572] GPR20: 0000000132dfdc50 000000000000000e 0000000000189375 0000000000000000\n[ 243.686572] GPR24: 00007ffffa606ae0 0000000000000005 000001000c185490 000001000c172570\n[ 243.686572] GPR28: 000001000c172990 000001000c184850 000001000c172e00 00007fffa4fedd98\n[ 243.686683] NIP [00007fffa47d5ba4] 0x7fffa47d5ba4\n[ 243.686691] LR [0000000000000000] 0x0\n[ 243.686698] --- interrupt: 3000\n[ 243.686708] INFO: task kworker/u16:1:24 blocked for more than 122 seconds.\n[ 243.686717] Not tainted 6.1.0-rc1 #1\n[ 243.686724] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 243.686733] task:kworker/u16:1 state:D stack:0 pid:24 ppid:2 flags:0x00000800\n[ 243.686747] Workqueue: events_unbound fsnotify_mark_destroy_workfn\n[ 243.686758] Call Trace:\n[ 243.686762] [c0000000166736e0] [c00000004fd91000] 0xc00000004fd91000 (unreliable)\n[ 243.686775] [c0000000166738d0] [c00000001001dec0] __switch_to+0x130/0x220\n[ 243.686788] [c000000016673930] [c000000010f607b8] __schedule+0x1f8/0x\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:28.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c4d26dad76eadaa45a24543e311e9ce5d09f04e"
},
{
"url": "https://git.kernel.org/stable/c/c7c0bc03fa44942fe0fdc5ac52cda6e11529c0ea"
},
{
"url": "https://git.kernel.org/stable/c/7f24626d6dd844bfc6d1f492d214d29c86d02550"
}
],
"title": "srcu: Delegate work to the boot cpu if using SRCU_SIZE_SMALL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53671",
"datePublished": "2025-10-07T15:21:28.307Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:28.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50549 (GCVE-0-2022-50549)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata
Following concurrent processes:
P1(drop cache) P2(kworker)
drop_caches_sysctl_handler
drop_slab
shrink_slab
down_read(&shrinker_rwsem) - LOCK A
do_shrink_slab
super_cache_scan
prune_icache_sb
dispose_list
evict
ext4_evict_inode
ext4_clear_inode
ext4_discard_preallocations
ext4_mb_load_buddy_gfp
ext4_mb_init_cache
ext4_read_block_bitmap_nowait
ext4_read_bh_nowait
submit_bh
dm_submit_bio
do_worker
process_deferred_bios
commit
metadata_operation_failed
dm_pool_abort_metadata
down_write(&pmd->root_lock) - LOCK B
__destroy_persistent_data_objects
dm_block_manager_destroy
dm_bufio_client_destroy
unregister_shrinker
down_write(&shrinker_rwsem)
thin_map |
dm_thin_find_block ↓
down_read(&pmd->root_lock) --> ABBA deadlock
, which triggers hung task:
[ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.
[ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910
[ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2
[ 76.978534] Workqueue: dm-thin do_worker
[ 76.978552] Call Trace:
[ 76.978564] __schedule+0x6ba/0x10f0
[ 76.978582] schedule+0x9d/0x1e0
[ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0
[ 76.978600] down_write+0xec/0x110
[ 76.978607] unregister_shrinker+0x2c/0xf0
[ 76.978616] dm_bufio_client_destroy+0x116/0x3d0
[ 76.978625] dm_block_manager_destroy+0x19/0x40
[ 76.978629] __destroy_persistent_data_objects+0x5e/0x70
[ 76.978636] dm_pool_abort_metadata+0x8e/0x100
[ 76.978643] metadata_operation_failed+0x86/0x110
[ 76.978649] commit+0x6a/0x230
[ 76.978655] do_worker+0xc6e/0xd90
[ 76.978702] process_one_work+0x269/0x630
[ 76.978714] worker_thread+0x266/0x630
[ 76.978730] kthread+0x151/0x1b0
[ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.
[ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910
[ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459
[ 76.982128] Call Trace:
[ 76.982139] __schedule+0x6ba/0x10f0
[ 76.982155] schedule+0x9d/0x1e0
[ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910
[ 76.982173] down_read+0x84/0x170
[ 76.982177] dm_thin_find_block+0x4c/0xd0
[ 76.982183] thin_map+0x201/0x3d0
[ 76.982188] __map_bio+0x5b/0x350
[ 76.982195] dm_submit_bio+0x2b6/0x930
[ 76.982202] __submit_bio+0x123/0x2d0
[ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0
[ 76.982222] submit_bio_noacct+0x389/0x770
[ 76.982227] submit_bio+0x50/0xc0
[ 76.982232] submit_bh_wbc+0x15e/0x230
[ 76.982238] submit_bh+0x14/0x20
[ 76.982241] ext4_read_bh_nowait+0xc5/0x130
[ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60
[ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0
[ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0
[ 76.982263] ext4_discard_preallocations+0x45d/0x830
[ 76.982274] ext4_clear_inode+0x48/0xf0
[ 76.982280] ext4_evict_inode+0xcf/0xc70
[ 76.982285] evict+0x119/0x2b0
[ 76.982290] dispose_list+0x43/0xa0
[ 76.982294] prune_icache_sb+0x64/0x90
[ 76.982298] super_cache_scan+0x155/0x210
[ 76.982303] do_shrink_slab+0x19e/0x4e0
[ 76.982310] shrink_slab+0x2bd/0x450
[ 76.982317] drop_slab+0xcc/0x1a0
[ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0
[ 76.982327] proc_sys_call_handler+0x1bc/0x300
[ 76.982331] proc_sys_write+0x17/0x20
[ 76.982334] vfs_write+0x3d3/0x570
[ 76.982342] ksys_write+0x73/0x160
[ 76.982347] __x64_sys_write+0x1e/0x30
[ 76.982352] do_syscall_64+0x35/0x80
[ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Funct
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "200aa33b5d781e7c0fa6c0c7db9dbcc3f574ce8f",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "7e37578069737b04955c71dd85db8a3bc2709eff",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "f8c26c33fef588ee54852cffa7cbb9f9d9869405",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "2d891cc5a1706b6908bceb56af7176a463ee6d62",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "cdf7a39bcc427febbfe3c3b9fe829825ead96c27",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "8111964f1b8524c4bb56b02cd9c7a37725ea21fd",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata\n\nFollowing concurrent processes:\n\n P1(drop cache) P2(kworker)\ndrop_caches_sysctl_handler\n drop_slab\n shrink_slab\n down_read(\u0026shrinker_rwsem) - LOCK A\n do_shrink_slab\n super_cache_scan\n prune_icache_sb\n dispose_list\n evict\n ext4_evict_inode\n\t ext4_clear_inode\n\t ext4_discard_preallocations\n\t ext4_mb_load_buddy_gfp\n\t ext4_mb_init_cache\n\t ext4_read_block_bitmap_nowait\n\t ext4_read_bh_nowait\n\t submit_bh\n\t dm_submit_bio\n\t\t do_worker\n\t\t\t\t process_deferred_bios\n\t\t\t\t commit\n\t\t\t\t metadata_operation_failed\n\t\t\t\t dm_pool_abort_metadata\n\t\t\t\t down_write(\u0026pmd-\u003eroot_lock) - LOCK B\n\t\t __destroy_persistent_data_objects\n\t\t\t\t dm_block_manager_destroy\n\t\t\t\t dm_bufio_client_destroy\n\t\t\t\t unregister_shrinker\n\t\t\t\t\t down_write(\u0026shrinker_rwsem)\n\t\t thin_map |\n\t\t dm_thin_find_block \u2193\n\t\t down_read(\u0026pmd-\u003eroot_lock) --\u003e ABBA deadlock\n\n, which triggers hung task:\n\n[ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.\n[ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2\n[ 76.978534] Workqueue: dm-thin do_worker\n[ 76.978552] Call Trace:\n[ 76.978564] __schedule+0x6ba/0x10f0\n[ 76.978582] schedule+0x9d/0x1e0\n[ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0\n[ 76.978600] down_write+0xec/0x110\n[ 76.978607] unregister_shrinker+0x2c/0xf0\n[ 76.978616] dm_bufio_client_destroy+0x116/0x3d0\n[ 76.978625] dm_block_manager_destroy+0x19/0x40\n[ 76.978629] __destroy_persistent_data_objects+0x5e/0x70\n[ 76.978636] dm_pool_abort_metadata+0x8e/0x100\n[ 76.978643] metadata_operation_failed+0x86/0x110\n[ 76.978649] commit+0x6a/0x230\n[ 76.978655] do_worker+0xc6e/0xd90\n[ 76.978702] process_one_work+0x269/0x630\n[ 76.978714] worker_thread+0x266/0x630\n[ 76.978730] kthread+0x151/0x1b0\n[ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.\n[ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459\n[ 76.982128] Call Trace:\n[ 76.982139] __schedule+0x6ba/0x10f0\n[ 76.982155] schedule+0x9d/0x1e0\n[ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910\n[ 76.982173] down_read+0x84/0x170\n[ 76.982177] dm_thin_find_block+0x4c/0xd0\n[ 76.982183] thin_map+0x201/0x3d0\n[ 76.982188] __map_bio+0x5b/0x350\n[ 76.982195] dm_submit_bio+0x2b6/0x930\n[ 76.982202] __submit_bio+0x123/0x2d0\n[ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0\n[ 76.982222] submit_bio_noacct+0x389/0x770\n[ 76.982227] submit_bio+0x50/0xc0\n[ 76.982232] submit_bh_wbc+0x15e/0x230\n[ 76.982238] submit_bh+0x14/0x20\n[ 76.982241] ext4_read_bh_nowait+0xc5/0x130\n[ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60\n[ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0\n[ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0\n[ 76.982263] ext4_discard_preallocations+0x45d/0x830\n[ 76.982274] ext4_clear_inode+0x48/0xf0\n[ 76.982280] ext4_evict_inode+0xcf/0xc70\n[ 76.982285] evict+0x119/0x2b0\n[ 76.982290] dispose_list+0x43/0xa0\n[ 76.982294] prune_icache_sb+0x64/0x90\n[ 76.982298] super_cache_scan+0x155/0x210\n[ 76.982303] do_shrink_slab+0x19e/0x4e0\n[ 76.982310] shrink_slab+0x2bd/0x450\n[ 76.982317] drop_slab+0xcc/0x1a0\n[ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0\n[ 76.982327] proc_sys_call_handler+0x1bc/0x300\n[ 76.982331] proc_sys_write+0x17/0x20\n[ 76.982334] vfs_write+0x3d3/0x570\n[ 76.982342] ksys_write+0x73/0x160\n[ 76.982347] __x64_sys_write+0x1e/0x30\n[ 76.982352] do_syscall_64+0x35/0x80\n[ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFunct\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:12.006Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/200aa33b5d781e7c0fa6c0c7db9dbcc3f574ce8f"
},
{
"url": "https://git.kernel.org/stable/c/7e37578069737b04955c71dd85db8a3bc2709eff"
},
{
"url": "https://git.kernel.org/stable/c/f8c26c33fef588ee54852cffa7cbb9f9d9869405"
},
{
"url": "https://git.kernel.org/stable/c/2d891cc5a1706b6908bceb56af7176a463ee6d62"
},
{
"url": "https://git.kernel.org/stable/c/cdf7a39bcc427febbfe3c3b9fe829825ead96c27"
},
{
"url": "https://git.kernel.org/stable/c/8111964f1b8524c4bb56b02cd9c7a37725ea21fd"
}
],
"title": "dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50549",
"datePublished": "2025-10-07T15:21:12.006Z",
"dateReserved": "2025-10-07T15:15:38.668Z",
"dateUpdated": "2025-10-07T15:21:12.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50535 (GCVE-0-2022-50535)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix potential null-deref in dm_resume
[Why]
Fixing smatch error:
dm_resume() error: we previously assumed 'aconnector->dc_link' could be null
[How]
Check if dc_link null at the beginning of the loop,
so further checks can be dropped.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd79b61af2782f8875c78f50cdb8630ec43e2990",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d236103782de25736996a45bd36ac2a89bdc93c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f73793b81637c60ccc83cc508645310b8ab7d80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bb9a5562beb982aa5ebb73c521c49596ff8b8030",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8e365f1bd672cc9320a936f6ae6f8087aa40e9bc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "00b655fa96b4e941351cc4bf5ca755a65ae94a8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a7175a2cd84b7874bebbf8e59f134557a34161b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null-deref in dm_resume\n\n[Why]\nFixing smatch error:\ndm_resume() error: we previously assumed \u0027aconnector-\u003edc_link\u0027 could be null\n\n[How]\nCheck if dc_link null at the beginning of the loop,\nso further checks can be dropped."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:02.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd79b61af2782f8875c78f50cdb8630ec43e2990"
},
{
"url": "https://git.kernel.org/stable/c/d236103782de25736996a45bd36ac2a89bdc93c6"
},
{
"url": "https://git.kernel.org/stable/c/9f73793b81637c60ccc83cc508645310b8ab7d80"
},
{
"url": "https://git.kernel.org/stable/c/bb9a5562beb982aa5ebb73c521c49596ff8b8030"
},
{
"url": "https://git.kernel.org/stable/c/8e365f1bd672cc9320a936f6ae6f8087aa40e9bc"
},
{
"url": "https://git.kernel.org/stable/c/00b655fa96b4e941351cc4bf5ca755a65ae94a8e"
},
{
"url": "https://git.kernel.org/stable/c/7a7175a2cd84b7874bebbf8e59f134557a34161b"
}
],
"title": "drm/amd/display: Fix potential null-deref in dm_resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50535",
"datePublished": "2025-10-07T15:21:02.347Z",
"dateReserved": "2025-10-07T15:15:38.666Z",
"dateUpdated": "2025-10-07T15:21:02.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53687 (GCVE-0-2023-53687)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk
When the best clk is searched, we iterate over all possible clk.
If we find a better match, the previous one, if any, needs to be freed.
If a better match has already been found, we still need to free the new
one, otherwise it leaks.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "933e5b2998bc3a527d15efbf1e97c9e63297aa3c",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "01dd8a43a84616c830782166ba3cceb01ad95363",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "46574e5a0a2aee41e6ebb979cfe1dbaea8693e16",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "1962717c4649e026a4252fe6625175affd28a593",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "9dd8091959bc41fee51d0827276a2b982e84adf0",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "f0bf102ef9b05d7294bd8d506755465f6867d944",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "1f426293fef1c13742b2a685bf7e363f51f6ee03",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "832e231cff476102e8204a9e7bddfe5c6154a375",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk\n\nWhen the best clk is searched, we iterate over all possible clk.\n\nIf we find a better match, the previous one, if any, needs to be freed.\nIf a better match has already been found, we still need to free the new\none, otherwise it leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:39.542Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/933e5b2998bc3a527d15efbf1e97c9e63297aa3c"
},
{
"url": "https://git.kernel.org/stable/c/01dd8a43a84616c830782166ba3cceb01ad95363"
},
{
"url": "https://git.kernel.org/stable/c/46574e5a0a2aee41e6ebb979cfe1dbaea8693e16"
},
{
"url": "https://git.kernel.org/stable/c/1962717c4649e026a4252fe6625175affd28a593"
},
{
"url": "https://git.kernel.org/stable/c/9dd8091959bc41fee51d0827276a2b982e84adf0"
},
{
"url": "https://git.kernel.org/stable/c/f0bf102ef9b05d7294bd8d506755465f6867d944"
},
{
"url": "https://git.kernel.org/stable/c/1f426293fef1c13742b2a685bf7e363f51f6ee03"
},
{
"url": "https://git.kernel.org/stable/c/832e231cff476102e8204a9e7bddfe5c6154a375"
}
],
"title": "tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53687",
"datePublished": "2025-10-07T15:21:39.542Z",
"dateReserved": "2025-10-07T15:16:59.665Z",
"dateUpdated": "2025-10-07T15:21:39.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50526 (GCVE-0-2022-50526)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: fix memory corruption with too many bridges
Add the missing sanity check on the bridge counter to avoid corrupting
data beyond the fixed-sized bridge array in case there are ever more
than eight bridges.
Patchwork: https://patchwork.freedesktop.org/patch/502664/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b312fcab461bd9484c61409007a6fe059f9c2074",
"status": "affected",
"version": "8a3b4c17f863cde8e8743edd8faffe916c49b960",
"versionType": "git"
},
{
"lessThan": "74466e46e7543c7f74f1502181e9ba93f7521374",
"status": "affected",
"version": "8a3b4c17f863cde8e8743edd8faffe916c49b960",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502664/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:18.586Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b312fcab461bd9484c61409007a6fe059f9c2074"
},
{
"url": "https://git.kernel.org/stable/c/74466e46e7543c7f74f1502181e9ba93f7521374"
}
],
"title": "drm/msm/dp: fix memory corruption with too many bridges",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50526",
"datePublished": "2025-10-07T15:19:18.586Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:18.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50532 (GCVE-0-2022-50532)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
In mpt3sas_transport_port_add(), if sas_rphy_add() returns error,
sas_rphy_free() needs be called to free the resource allocated in
sas_end_device_alloc(). Otherwise a kernel crash will happen:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108
CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : device_del+0x54/0x3d0
lr : device_del+0x37c/0x3d0
Call trace:
device_del+0x54/0x3d0
attribute_container_class_device_del+0x28/0x38
transport_remove_classdev+0x6c/0x80
attribute_container_device_trigger+0x108/0x110
transport_remove_device+0x28/0x38
sas_rphy_remove+0x50/0x78 [scsi_transport_sas]
sas_port_delete+0x30/0x148 [scsi_transport_sas]
do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
device_for_each_child+0x68/0xb0
sas_remove_children+0x30/0x50 [scsi_transport_sas]
sas_rphy_remove+0x38/0x78 [scsi_transport_sas]
sas_port_delete+0x30/0x148 [scsi_transport_sas]
do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
device_for_each_child+0x68/0xb0
sas_remove_children+0x30/0x50 [scsi_transport_sas]
sas_remove_host+0x20/0x38 [scsi_transport_sas]
scsih_remove+0xd8/0x420 [mpt3sas]
Because transport_add_device() is not called when sas_rphy_add() fails, the
device is not added. When sas_rphy_remove() is subsequently called to
remove the device in the remove() path, a NULL pointer dereference happens.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d60000cb1195a464080b0efb4949daf7594e0020",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "ce1a69cc85006b494353911b35171da195d79e25",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "6a92129c8f999ff5b122c100ce7f625eb3e98c4b",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "6f6768e2fc8638fabdd8802c2ef693d7aef01db1",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "d17bca3ddfe507874cb826d32721552da12e741f",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "78316e9dfc24906dd474630928ed1d3c562b568e",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()\n\nIn mpt3sas_transport_port_add(), if sas_rphy_add() returns error,\nsas_rphy_free() needs be called to free the resource allocated in\nsas_end_device_alloc(). Otherwise a kernel crash will happen:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000108\nCPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x54/0x3d0\nlr : device_del+0x37c/0x3d0\nCall trace:\n device_del+0x54/0x3d0\n attribute_container_class_device_del+0x28/0x38\n transport_remove_classdev+0x6c/0x80\n attribute_container_device_trigger+0x108/0x110\n transport_remove_device+0x28/0x38\n sas_rphy_remove+0x50/0x78 [scsi_transport_sas]\n sas_port_delete+0x30/0x148 [scsi_transport_sas]\n do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x30/0x50 [scsi_transport_sas]\n sas_rphy_remove+0x38/0x78 [scsi_transport_sas]\n sas_port_delete+0x30/0x148 [scsi_transport_sas]\n do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x30/0x50 [scsi_transport_sas]\n sas_remove_host+0x20/0x38 [scsi_transport_sas]\n scsih_remove+0xd8/0x420 [mpt3sas]\n\nBecause transport_add_device() is not called when sas_rphy_add() fails, the\ndevice is not added. When sas_rphy_remove() is subsequently called to\nremove the device in the remove() path, a NULL pointer dereference happens."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:22.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d60000cb1195a464080b0efb4949daf7594e0020"
},
{
"url": "https://git.kernel.org/stable/c/ce1a69cc85006b494353911b35171da195d79e25"
},
{
"url": "https://git.kernel.org/stable/c/6a92129c8f999ff5b122c100ce7f625eb3e98c4b"
},
{
"url": "https://git.kernel.org/stable/c/6f6768e2fc8638fabdd8802c2ef693d7aef01db1"
},
{
"url": "https://git.kernel.org/stable/c/d17bca3ddfe507874cb826d32721552da12e741f"
},
{
"url": "https://git.kernel.org/stable/c/78316e9dfc24906dd474630928ed1d3c562b568e"
}
],
"title": "scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50532",
"datePublished": "2025-10-07T15:19:22.581Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:22.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50537 (GCVE-0-2022-50537)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
In rpi_firmware_probe(), if mbox_request_channel() fails, the 'fw' will
not be freed through rpi_firmware_delete(), fix this leak by calling
kfree() in the error path.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d537afa08e156a0a72562e625506825c2776fcfa Version: 60831f5ae6c713afceb6d29f40899ed112f36059 Version: 1e7c57355a3bc617fc220234889e49fe722a6305 Version: 1e7c57355a3bc617fc220234889e49fe722a6305 Version: 1e7c57355a3bc617fc220234889e49fe722a6305 Version: 1e7c57355a3bc617fc220234889e49fe722a6305 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/raspberrypi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62ac943eb2a9d655e431b9bc98ff6d7bd51a0e49",
"status": "affected",
"version": "d537afa08e156a0a72562e625506825c2776fcfa",
"versionType": "git"
},
{
"lessThan": "d34742245e4366579f9a80f8cfe4a63248e838e0",
"status": "affected",
"version": "60831f5ae6c713afceb6d29f40899ed112f36059",
"versionType": "git"
},
{
"lessThan": "b308fdedef095aac14569f810d46edf773ea7d1e",
"status": "affected",
"version": "1e7c57355a3bc617fc220234889e49fe722a6305",
"versionType": "git"
},
{
"lessThan": "6757dd2193fe18c5c5fe3050e7f2ff9dcbd1ff34",
"status": "affected",
"version": "1e7c57355a3bc617fc220234889e49fe722a6305",
"versionType": "git"
},
{
"lessThan": "71d2abab374f707ab8ac8dcef191fd2b3b67b8bd",
"status": "affected",
"version": "1e7c57355a3bc617fc220234889e49fe722a6305",
"versionType": "git"
},
{
"lessThan": "7b51161696e803fd5f9ad55b20a64c2df313f95c",
"status": "affected",
"version": "1e7c57355a3bc617fc220234889e49fe722a6305",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/raspberrypi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()\n\nIn rpi_firmware_probe(), if mbox_request_channel() fails, the \u0027fw\u0027 will\nnot be freed through rpi_firmware_delete(), fix this leak by calling\nkfree() in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:03.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62ac943eb2a9d655e431b9bc98ff6d7bd51a0e49"
},
{
"url": "https://git.kernel.org/stable/c/d34742245e4366579f9a80f8cfe4a63248e838e0"
},
{
"url": "https://git.kernel.org/stable/c/b308fdedef095aac14569f810d46edf773ea7d1e"
},
{
"url": "https://git.kernel.org/stable/c/6757dd2193fe18c5c5fe3050e7f2ff9dcbd1ff34"
},
{
"url": "https://git.kernel.org/stable/c/71d2abab374f707ab8ac8dcef191fd2b3b67b8bd"
},
{
"url": "https://git.kernel.org/stable/c/7b51161696e803fd5f9ad55b20a64c2df313f95c"
}
],
"title": "firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50537",
"datePublished": "2025-10-07T15:21:03.749Z",
"dateReserved": "2025-10-07T15:15:38.666Z",
"dateUpdated": "2025-10-07T15:21:03.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53662 (GCVE-0-2023-53662)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
If the filename casefolding fails, we'll be leaking memory from the
fscrypt_name struct, namely from the 'crypto_buf.name' member.
Make sure we free it in the error path on both ext4_fname_setup_filename()
and ext4_fname_prepare_lookup() functions.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1fb3f1bbfdb511034b0360dbeb0f6a8424ed2a5c",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
},
{
"lessThan": "36daf050be3f6f067631dc52054de2d3b7cc849f",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
},
{
"lessThan": "7ca4b085f430f3774c3838b3da569ceccd6a0177",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}\n\nIf the filename casefolding fails, we\u0027ll be leaking memory from the\nfscrypt_name struct, namely from the \u0027crypto_buf.name\u0027 member.\n\nMake sure we free it in the error path on both ext4_fname_setup_filename()\nand ext4_fname_prepare_lookup() functions."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:21.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1fb3f1bbfdb511034b0360dbeb0f6a8424ed2a5c"
},
{
"url": "https://git.kernel.org/stable/c/36daf050be3f6f067631dc52054de2d3b7cc849f"
},
{
"url": "https://git.kernel.org/stable/c/7ca4b085f430f3774c3838b3da569ceccd6a0177"
}
],
"title": "ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53662",
"datePublished": "2025-10-07T15:21:21.703Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:21.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53625 (GCVE-0-2023-53625)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gvt: fix vgpu debugfs clean in remove
Check carefully on root debugfs available when destroying vgpu,
e.g in remove case drm minor's debugfs root might already be destroyed,
which led to kernel oops like below.
Console: switching to colour dummy device 80x25
i915 0000:00:02.0: MDEV: Unregistering
intel_vgpu_mdev b1338b2d-a709-4c23-b766-cc436c36cdf0: Removing from iommu group 14
BUG: kernel NULL pointer dereference, address: 0000000000000150
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 3 PID: 1046 Comm: driverctl Not tainted 6.1.0-rc2+ #6
Hardware name: HP HP ProDesk 600 G3 MT/829D, BIOS P02 Ver. 02.44 09/13/2022
RIP: 0010:__lock_acquire+0x5e2/0x1f90
Code: 87 ad 09 00 00 39 05 e1 1e cc 02 0f 82 f1 09 00 00 ba 01 00 00 00 48 83 c4 48 89 d0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ff <48> 81 3f 60 9e c2 b6 45 0f 45 f8 83 fe 01 0f 87 55 fa ff ff 89 f0
RSP: 0018:ffff9f770274f948 EFLAGS: 00010046
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000150
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8895d1173300 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000150 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fc9b2ba0740(0000) GS:ffff889cdfcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000150 CR3: 000000010fd93005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0xbf/0x2b0
? simple_recursive_removal+0xa5/0x2b0
? lock_release+0x13d/0x2d0
down_write+0x2a/0xd0
? simple_recursive_removal+0xa5/0x2b0
simple_recursive_removal+0xa5/0x2b0
? start_creating.part.0+0x110/0x110
? _raw_spin_unlock+0x29/0x40
debugfs_remove+0x40/0x60
intel_gvt_debugfs_remove_vgpu+0x15/0x30 [kvmgt]
intel_gvt_destroy_vgpu+0x60/0x100 [kvmgt]
intel_vgpu_release_dev+0xe/0x20 [kvmgt]
device_release+0x30/0x80
kobject_put+0x79/0x1b0
device_release_driver_internal+0x1b8/0x230
bus_remove_device+0xec/0x160
device_del+0x189/0x400
? up_write+0x9c/0x1b0
? mdev_device_remove_common+0x60/0x60 [mdev]
mdev_device_remove_common+0x22/0x60 [mdev]
mdev_device_remove_cb+0x17/0x20 [mdev]
device_for_each_child+0x56/0x80
mdev_unregister_parent+0x5a/0x81 [mdev]
intel_gvt_clean_device+0x2d/0xe0 [kvmgt]
intel_gvt_driver_remove+0x2e/0xb0 [i915]
i915_driver_remove+0xac/0x100 [i915]
i915_pci_remove+0x1a/0x30 [i915]
pci_device_remove+0x31/0xa0
device_release_driver_internal+0x1b8/0x230
unbind_store+0xd8/0x100
kernfs_fop_write_iter+0x156/0x210
vfs_write+0x236/0x4a0
ksys_write+0x61/0xd0
do_syscall_64+0x55/0x80
? find_held_lock+0x2b/0x80
? lock_release+0x13d/0x2d0
? up_read+0x17/0x20
? lock_is_held_type+0xe3/0x140
? asm_exc_page_fault+0x22/0x30
? lockdep_hardirqs_on+0x7d/0x100
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fc9b2c9e0c4
Code: 15 71 7d 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 80 3d 3d 05 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 48 89 54 24 18 48
RSP: 002b:00007ffec29c81c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc9b2c9e0c4
RDX: 000000000000000d RSI: 0000559f8b5f48a0 RDI: 0000000000000001
RBP: 0000559f8b5f48a0 R08: 0000559f8b5f3540 R09: 00007fc9b2d76d30
R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000d
R13: 00007fc9b2d77780 R14: 000000000000000d R15: 00007fc9b2d72a00
</TASK>
Modules linked in: sunrpc intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ee1004 igbvf rapl vfat fat intel_cstate intel_uncore pktcdvd i2c_i801 pcspkr wmi_bmof i2c_smbus acpi_pad vfio_pci vfio_pci_core vfio_virqfd zram fuse dm
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gvt/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af90f8b36d78544433a48a3eda6a5faeafacd0a1",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "f5a9bbf962e2c4b1d9addbfaf16d7ffcc2f63bde",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "ffa83fba2a2ce8010eb106c779378cb3013362c7",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "44c0e07e3972e3f2609d69ad873d4f342f8a68ec",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "704f3384f322b40ba24d958473edfb1c9750c8fd",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gvt/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gvt: fix vgpu debugfs clean in remove\n\nCheck carefully on root debugfs available when destroying vgpu,\ne.g in remove case drm minor\u0027s debugfs root might already be destroyed,\nwhich led to kernel oops like below.\n\nConsole: switching to colour dummy device 80x25\ni915 0000:00:02.0: MDEV: Unregistering\nintel_vgpu_mdev b1338b2d-a709-4c23-b766-cc436c36cdf0: Removing from iommu group 14\nBUG: kernel NULL pointer dereference, address: 0000000000000150\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 3 PID: 1046 Comm: driverctl Not tainted 6.1.0-rc2+ #6\nHardware name: HP HP ProDesk 600 G3 MT/829D, BIOS P02 Ver. 02.44 09/13/2022\nRIP: 0010:__lock_acquire+0x5e2/0x1f90\nCode: 87 ad 09 00 00 39 05 e1 1e cc 02 0f 82 f1 09 00 00 ba 01 00 00 00 48 83 c4 48 89 d0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ff \u003c48\u003e 81 3f 60 9e c2 b6 45 0f 45 f8 83 fe 01 0f 87 55 fa ff ff 89 f0\nRSP: 0018:ffff9f770274f948 EFLAGS: 00010046\nRAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000150\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8895d1173300 R11: 0000000000000001 R12: 0000000000000000\nR13: 0000000000000150 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007fc9b2ba0740(0000) GS:ffff889cdfcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000150 CR3: 000000010fd93005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0xbf/0x2b0\n ? simple_recursive_removal+0xa5/0x2b0\n ? lock_release+0x13d/0x2d0\n down_write+0x2a/0xd0\n ? simple_recursive_removal+0xa5/0x2b0\n simple_recursive_removal+0xa5/0x2b0\n ? start_creating.part.0+0x110/0x110\n ? _raw_spin_unlock+0x29/0x40\n debugfs_remove+0x40/0x60\n intel_gvt_debugfs_remove_vgpu+0x15/0x30 [kvmgt]\n intel_gvt_destroy_vgpu+0x60/0x100 [kvmgt]\n intel_vgpu_release_dev+0xe/0x20 [kvmgt]\n device_release+0x30/0x80\n kobject_put+0x79/0x1b0\n device_release_driver_internal+0x1b8/0x230\n bus_remove_device+0xec/0x160\n device_del+0x189/0x400\n ? up_write+0x9c/0x1b0\n ? mdev_device_remove_common+0x60/0x60 [mdev]\n mdev_device_remove_common+0x22/0x60 [mdev]\n mdev_device_remove_cb+0x17/0x20 [mdev]\n device_for_each_child+0x56/0x80\n mdev_unregister_parent+0x5a/0x81 [mdev]\n intel_gvt_clean_device+0x2d/0xe0 [kvmgt]\n intel_gvt_driver_remove+0x2e/0xb0 [i915]\n i915_driver_remove+0xac/0x100 [i915]\n i915_pci_remove+0x1a/0x30 [i915]\n pci_device_remove+0x31/0xa0\n device_release_driver_internal+0x1b8/0x230\n unbind_store+0xd8/0x100\n kernfs_fop_write_iter+0x156/0x210\n vfs_write+0x236/0x4a0\n ksys_write+0x61/0xd0\n do_syscall_64+0x55/0x80\n ? find_held_lock+0x2b/0x80\n ? lock_release+0x13d/0x2d0\n ? up_read+0x17/0x20\n ? lock_is_held_type+0xe3/0x140\n ? asm_exc_page_fault+0x22/0x30\n ? lockdep_hardirqs_on+0x7d/0x100\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7fc9b2c9e0c4\nCode: 15 71 7d 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 80 3d 3d 05 0e 00 00 74 13 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 48 89 54 24 18 48\nRSP: 002b:00007ffec29c81c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc9b2c9e0c4\nRDX: 000000000000000d RSI: 0000559f8b5f48a0 RDI: 0000000000000001\nRBP: 0000559f8b5f48a0 R08: 0000559f8b5f3540 R09: 00007fc9b2d76d30\nR10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000d\nR13: 00007fc9b2d77780 R14: 000000000000000d R15: 00007fc9b2d72a00\n \u003c/TASK\u003e\nModules linked in: sunrpc intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ee1004 igbvf rapl vfat fat intel_cstate intel_uncore pktcdvd i2c_i801 pcspkr wmi_bmof i2c_smbus acpi_pad vfio_pci vfio_pci_core vfio_virqfd zram fuse dm\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:30.213Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af90f8b36d78544433a48a3eda6a5faeafacd0a1"
},
{
"url": "https://git.kernel.org/stable/c/f5a9bbf962e2c4b1d9addbfaf16d7ffcc2f63bde"
},
{
"url": "https://git.kernel.org/stable/c/ffa83fba2a2ce8010eb106c779378cb3013362c7"
},
{
"url": "https://git.kernel.org/stable/c/44c0e07e3972e3f2609d69ad873d4f342f8a68ec"
},
{
"url": "https://git.kernel.org/stable/c/704f3384f322b40ba24d958473edfb1c9750c8fd"
}
],
"title": "drm/i915/gvt: fix vgpu debugfs clean in remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53625",
"datePublished": "2025-10-07T15:19:30.213Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:30.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50517 (GCVE-0-2022-50517)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: do not clobber swp_entry_t during THP split
The following has been observed when running stressng mmap since commit
b653db77350c ("mm: Clear page->private when splitting or migrating a page")
watchdog: BUG: soft lockup - CPU#75 stuck for 26s! [stress-ng:9546]
CPU: 75 PID: 9546 Comm: stress-ng Tainted: G E 6.0.0-revert-b653db77-fix+ #29 0357d79b60fb09775f678e4f3f64ef0579ad1374
Hardware name: SGI.COM C2112-4GP3/X10DRT-P-Series, BIOS 2.0a 05/09/2016
RIP: 0010:xas_descend+0x28/0x80
Code: cc cc 0f b6 0e 48 8b 57 08 48 d3 ea 83 e2 3f 89 d0 48 83 c0 04 48 8b 44 c6 08 48 89 77 18 48 89 c1 83 e1 03 48 83 f9 02 75 08 <48> 3d fd 00 00 00 76 08 88 57 12 c3 cc cc cc cc 48 c1 e8 02 89 c2
RSP: 0018:ffffbbf02a2236a8 EFLAGS: 00000246
RAX: ffff9cab7d6a0002 RBX: ffffe04b0af88040 RCX: 0000000000000002
RDX: 0000000000000030 RSI: ffff9cab60509b60 RDI: ffffbbf02a2236c0
RBP: 0000000000000000 R08: ffff9cab60509b60 R09: ffffbbf02a2236c0
R10: 0000000000000001 R11: ffffbbf02a223698 R12: 0000000000000000
R13: ffff9cab4e28da80 R14: 0000000000039c01 R15: ffff9cab4e28da88
FS: 00007fab89b85e40(0000) GS:ffff9cea3fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fab84e00000 CR3: 00000040b73a4003 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
xas_load+0x3a/0x50
__filemap_get_folio+0x80/0x370
? put_swap_page+0x163/0x360
pagecache_get_page+0x13/0x90
__try_to_reclaim_swap+0x50/0x190
scan_swap_map_slots+0x31e/0x670
get_swap_pages+0x226/0x3c0
folio_alloc_swap+0x1cc/0x240
add_to_swap+0x14/0x70
shrink_page_list+0x968/0xbc0
reclaim_page_list+0x70/0xf0
reclaim_pages+0xdd/0x120
madvise_cold_or_pageout_pte_range+0x814/0xf30
walk_pgd_range+0x637/0xa30
__walk_page_range+0x142/0x170
walk_page_range+0x146/0x170
madvise_pageout+0xb7/0x280
? asm_common_interrupt+0x22/0x40
madvise_vma_behavior+0x3b7/0xac0
? find_vma+0x4a/0x70
? find_vma+0x64/0x70
? madvise_vma_anon_name+0x40/0x40
madvise_walk_vmas+0xa6/0x130
do_madvise+0x2f4/0x360
__x64_sys_madvise+0x26/0x30
do_syscall_64+0x5b/0x80
? do_syscall_64+0x67/0x80
? syscall_exit_to_user_mode+0x17/0x40
? do_syscall_64+0x67/0x80
? syscall_exit_to_user_mode+0x17/0x40
? do_syscall_64+0x67/0x80
? do_syscall_64+0x67/0x80
? common_interrupt+0x8b/0xa0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The problem can be reproduced with the mmtests config
config-workload-stressng-mmap. It does not always happen and when it
triggers is variable but it has happened on multiple machines.
The intent of commit b653db77350c patch was to avoid the case where
PG_private is clear but folio->private is not-NULL. However, THP tail
pages uses page->private for "swp_entry_t if folio_test_swapcache()" as
stated in the documentation for struct folio. This patch only clobbers
page->private for tail pages if the head page was not in swapcache and
warns once if page->private had an unexpected value.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8cace0eeb03d6043827faa6cf6c9067a9f05cd9f",
"status": "affected",
"version": "b653db77350c7307a513b81856fe53e94cf42446",
"versionType": "git"
},
{
"lessThan": "71e2d666ef85d51834d658830f823560c402b8b6",
"status": "affected",
"version": "b653db77350c7307a513b81856fe53e94cf42446",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: do not clobber swp_entry_t during THP split\n\nThe following has been observed when running stressng mmap since commit\nb653db77350c (\"mm: Clear page-\u003eprivate when splitting or migrating a page\")\n\n watchdog: BUG: soft lockup - CPU#75 stuck for 26s! [stress-ng:9546]\n CPU: 75 PID: 9546 Comm: stress-ng Tainted: G E 6.0.0-revert-b653db77-fix+ #29 0357d79b60fb09775f678e4f3f64ef0579ad1374\n Hardware name: SGI.COM C2112-4GP3/X10DRT-P-Series, BIOS 2.0a 05/09/2016\n RIP: 0010:xas_descend+0x28/0x80\n Code: cc cc 0f b6 0e 48 8b 57 08 48 d3 ea 83 e2 3f 89 d0 48 83 c0 04 48 8b 44 c6 08 48 89 77 18 48 89 c1 83 e1 03 48 83 f9 02 75 08 \u003c48\u003e 3d fd 00 00 00 76 08 88 57 12 c3 cc cc cc cc 48 c1 e8 02 89 c2\n RSP: 0018:ffffbbf02a2236a8 EFLAGS: 00000246\n RAX: ffff9cab7d6a0002 RBX: ffffe04b0af88040 RCX: 0000000000000002\n RDX: 0000000000000030 RSI: ffff9cab60509b60 RDI: ffffbbf02a2236c0\n RBP: 0000000000000000 R08: ffff9cab60509b60 R09: ffffbbf02a2236c0\n R10: 0000000000000001 R11: ffffbbf02a223698 R12: 0000000000000000\n R13: ffff9cab4e28da80 R14: 0000000000039c01 R15: ffff9cab4e28da88\n FS: 00007fab89b85e40(0000) GS:ffff9cea3fcc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fab84e00000 CR3: 00000040b73a4003 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n xas_load+0x3a/0x50\n __filemap_get_folio+0x80/0x370\n ? put_swap_page+0x163/0x360\n pagecache_get_page+0x13/0x90\n __try_to_reclaim_swap+0x50/0x190\n scan_swap_map_slots+0x31e/0x670\n get_swap_pages+0x226/0x3c0\n folio_alloc_swap+0x1cc/0x240\n add_to_swap+0x14/0x70\n shrink_page_list+0x968/0xbc0\n reclaim_page_list+0x70/0xf0\n reclaim_pages+0xdd/0x120\n madvise_cold_or_pageout_pte_range+0x814/0xf30\n walk_pgd_range+0x637/0xa30\n __walk_page_range+0x142/0x170\n walk_page_range+0x146/0x170\n madvise_pageout+0xb7/0x280\n ? asm_common_interrupt+0x22/0x40\n madvise_vma_behavior+0x3b7/0xac0\n ? find_vma+0x4a/0x70\n ? find_vma+0x64/0x70\n ? madvise_vma_anon_name+0x40/0x40\n madvise_walk_vmas+0xa6/0x130\n do_madvise+0x2f4/0x360\n __x64_sys_madvise+0x26/0x30\n do_syscall_64+0x5b/0x80\n ? do_syscall_64+0x67/0x80\n ? syscall_exit_to_user_mode+0x17/0x40\n ? do_syscall_64+0x67/0x80\n ? syscall_exit_to_user_mode+0x17/0x40\n ? do_syscall_64+0x67/0x80\n ? do_syscall_64+0x67/0x80\n ? common_interrupt+0x8b/0xa0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe problem can be reproduced with the mmtests config\nconfig-workload-stressng-mmap. It does not always happen and when it\ntriggers is variable but it has happened on multiple machines.\n\nThe intent of commit b653db77350c patch was to avoid the case where\nPG_private is clear but folio-\u003eprivate is not-NULL. However, THP tail\npages uses page-\u003eprivate for \"swp_entry_t if folio_test_swapcache()\" as\nstated in the documentation for struct folio. This patch only clobbers\npage-\u003eprivate for tail pages if the head page was not in swapcache and\nwarns once if page-\u003eprivate had an unexpected value."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:12.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8cace0eeb03d6043827faa6cf6c9067a9f05cd9f"
},
{
"url": "https://git.kernel.org/stable/c/71e2d666ef85d51834d658830f823560c402b8b6"
}
],
"title": "mm/huge_memory: do not clobber swp_entry_t during THP split",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50517",
"datePublished": "2025-10-07T15:19:12.344Z",
"dateReserved": "2025-10-07T15:15:38.662Z",
"dateUpdated": "2025-10-07T15:19:12.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50543 (GCVE-0-2022-50543)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix mr->map double free
rxe_mr_cleanup() which tries to free mr->map again will be called when
rxe_mr_init_user() fails:
CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x5d
panic+0x19e/0x349
end_report.part.0+0x54/0x7c
kasan_report.cold+0xa/0xf
rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]
__rxe_cleanup+0x10a/0x1e0 [rdma_rxe]
rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]
ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]
ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]
This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix
memory leak in error path code") and then we fixed it in commit
8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this
fix was reverted together at last by commit 1e75550648da (Revert
"RDMA/rxe: Create duplicate mapping tables for FMRs")
Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is
successfully allocated.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ce577f09013206e36e674cd27da3707b2278268",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"lessThan": "06f73568f553b5be6ba7f6fe274d333ea29fc46d",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"lessThan": "7d984dac8f6bf4ebd3398af82b357e1d181ecaac",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"status": "affected",
"version": "e004a35e8148ad9fc438b0479884641acf382896",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix mr-\u003emap double free\n\nrxe_mr_cleanup() which tries to free mr-\u003emap again will be called when\nrxe_mr_init_user() fails:\n\n CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x45/0x5d\n panic+0x19e/0x349\n end_report.part.0+0x54/0x7c\n kasan_report.cold+0xa/0xf\n rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]\n __rxe_cleanup+0x10a/0x1e0 [rdma_rxe]\n rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]\n ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]\n ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]\n\nThis issue was firstly exposed since commit b18c7da63fcb (\"RDMA/rxe: Fix\nmemory leak in error path code\") and then we fixed it in commit\n8ff5f5d9d8cf (\"RDMA/rxe: Prevent double freeing rxe_map_set()\") but this\nfix was reverted together at last by commit 1e75550648da (Revert\n\"RDMA/rxe: Create duplicate mapping tables for FMRs\")\n\nSimply let rxe_mr_cleanup() always handle freeing the mr-\u003emap once it is\nsuccessfully allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:07.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ce577f09013206e36e674cd27da3707b2278268"
},
{
"url": "https://git.kernel.org/stable/c/06f73568f553b5be6ba7f6fe274d333ea29fc46d"
},
{
"url": "https://git.kernel.org/stable/c/7d984dac8f6bf4ebd3398af82b357e1d181ecaac"
}
],
"title": "RDMA/rxe: Fix mr-\u003emap double free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50543",
"datePublished": "2025-10-07T15:21:07.939Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:07.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53658 (GCVE-0-2023-53658)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
If neither a "hif_mspi" nor "mspi" resource is present, the driver will
just early exit in probe but still return success. Apart from not doing
anything meaningful, this would then also lead to a null pointer access
on removal, as platform_get_drvdata() would return NULL, which it would
then try to dereference when trying to unregister the spi master.
Fix this by unconditionally calling devm_ioremap_resource(), as it can
handle a NULL res and will then return a viable ERR_PTR() if we get one.
The "return 0;" was previously a "goto qspi_resource_err;" where then
ret was returned, but since ret was still initialized to 0 at this place
this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix
use-after-free on unbind"). The issue was not introduced by this commit,
only made more obvious.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-bcm-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a91c34357afcfaa5307e254f22a8452550a07b34",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "d20db3c58a7f9361e370a7850ceb60dbdf62eea3",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "398e6a015877d44327f754aeb48ff3354945c78c",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "32b9c8f7892c19f7f5c9fed5fb410b9fd5990bb6",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "217b6ea8cf7b819477bca597a6ae2d43d38ba283",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "d3dcdb43c872a3b967345144151a2c9bb9124c9b",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "22ae32d80ef590d12a2364e4621f90f7c58445c7",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "7c1f23ad34fcdace50275a6aa1e1969b41c6233f",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-bcm-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: bcm-qspi: return error if neither hif_mspi nor mspi is available\n\nIf neither a \"hif_mspi\" nor \"mspi\" resource is present, the driver will\njust early exit in probe but still return success. Apart from not doing\nanything meaningful, this would then also lead to a null pointer access\non removal, as platform_get_drvdata() would return NULL, which it would\nthen try to dereference when trying to unregister the spi master.\n\nFix this by unconditionally calling devm_ioremap_resource(), as it can\nhandle a NULL res and will then return a viable ERR_PTR() if we get one.\n\nThe \"return 0;\" was previously a \"goto qspi_resource_err;\" where then\nret was returned, but since ret was still initialized to 0 at this place\nthis was a valid conversion in 63c5395bb7a9 (\"spi: bcm-qspi: Fix\nuse-after-free on unbind\"). The issue was not introduced by this commit,\nonly made more obvious."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:18.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a91c34357afcfaa5307e254f22a8452550a07b34"
},
{
"url": "https://git.kernel.org/stable/c/d20db3c58a7f9361e370a7850ceb60dbdf62eea3"
},
{
"url": "https://git.kernel.org/stable/c/398e6a015877d44327f754aeb48ff3354945c78c"
},
{
"url": "https://git.kernel.org/stable/c/32b9c8f7892c19f7f5c9fed5fb410b9fd5990bb6"
},
{
"url": "https://git.kernel.org/stable/c/217b6ea8cf7b819477bca597a6ae2d43d38ba283"
},
{
"url": "https://git.kernel.org/stable/c/d3dcdb43c872a3b967345144151a2c9bb9124c9b"
},
{
"url": "https://git.kernel.org/stable/c/22ae32d80ef590d12a2364e4621f90f7c58445c7"
},
{
"url": "https://git.kernel.org/stable/c/7c1f23ad34fcdace50275a6aa1e1969b41c6233f"
}
],
"title": "spi: bcm-qspi: return error if neither hif_mspi nor mspi is available",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53658",
"datePublished": "2025-10-07T15:21:18.950Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:21:18.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53653 (GCVE-0-2023-53653)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: amphion: fix REVERSE_INULL issues reported by coverity
null-checking of a pointor is suggested before dereferencing it
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/amphion/venc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bddd678fd2864b435d00d51a4d3808a0d89c79de",
"status": "affected",
"version": "9f599f351e86acf0fc13e42771f97b7fb4dbbea4",
"versionType": "git"
},
{
"lessThan": "e59d0cd8f414592187ead97b5832600ff7a0dd61",
"status": "affected",
"version": "9f599f351e86acf0fc13e42771f97b7fb4dbbea4",
"versionType": "git"
},
{
"lessThan": "ef56b2db216f130c4240aed907d1c5272c2d298d",
"status": "affected",
"version": "9f599f351e86acf0fc13e42771f97b7fb4dbbea4",
"versionType": "git"
},
{
"lessThan": "79d3bafaecc13bccab1ebbd28a15e669c5a4cdaf",
"status": "affected",
"version": "9f599f351e86acf0fc13e42771f97b7fb4dbbea4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/amphion/venc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: amphion: fix REVERSE_INULL issues reported by coverity\n\nnull-checking of a pointor is suggested before dereferencing it"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:49.303Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bddd678fd2864b435d00d51a4d3808a0d89c79de"
},
{
"url": "https://git.kernel.org/stable/c/e59d0cd8f414592187ead97b5832600ff7a0dd61"
},
{
"url": "https://git.kernel.org/stable/c/ef56b2db216f130c4240aed907d1c5272c2d298d"
},
{
"url": "https://git.kernel.org/stable/c/79d3bafaecc13bccab1ebbd28a15e669c5a4cdaf"
}
],
"title": "media: amphion: fix REVERSE_INULL issues reported by coverity",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53653",
"datePublished": "2025-10-07T15:19:49.303Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:19:49.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50511 (GCVE-0-2022-50511)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/fonts: fix undefined behavior in bit shift for get_default_font
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20
left shift of 1 by 31 places cannot be represented in type 'int'
<TASK>
dump_stack_lvl+0x7d/0xa5
dump_stack+0x15/0x1b
ubsan_epilogue+0xe/0x4e
__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
get_default_font+0x1c7/0x1f0
fbcon_startup+0x347/0x3a0
do_take_over_console+0xce/0x270
do_fbcon_takeover+0xa1/0x170
do_fb_registered+0x2a8/0x340
fbcon_fb_registered+0x47/0xe0
register_framebuffer+0x294/0x4a0
__drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]
drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]
drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]
drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]
bochs_pci_probe+0x6ca/0x772 [bochs]
local_pci_probe+0x4d/0xb0
pci_device_probe+0x119/0x320
really_probe+0x181/0x550
__driver_probe_device+0xc6/0x220
driver_probe_device+0x32/0x100
__driver_attach+0x195/0x200
bus_for_each_dev+0xbb/0x120
driver_attach+0x27/0x30
bus_add_driver+0x22e/0x2f0
driver_register+0xa9/0x190
__pci_register_driver+0x90/0xa0
bochs_pci_driver_init+0x52/0x1000 [bochs]
do_one_initcall+0x76/0x430
do_init_module+0x61/0x28a
load_module+0x1f82/0x2e50
__do_sys_finit_module+0xf8/0x190
__x64_sys_finit_module+0x23/0x30
do_syscall_64+0x58/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/fonts/fonts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e039929e36818507e90901edae87f6fa8bc81093",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "c9a9aa02f0fa3318e0ae5774f404419a1b4759ca",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "e83b47580a0738361772d6f24286adfdaba57e36",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "9c14a85e18a58c102ec223144b7edb5b345c1bea",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "890d91b31f4874361e0df047f57d268a7021cb12",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "6fe888c4d2fb174408e4540bb2d5602b9f507f90",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/fonts/fonts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.23"
},
{
"lessThan": "2.6.23",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/fonts: fix undefined behavior in bit shift for get_default_font\n\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned. The UBSAN warning calltrace like below:\n\nUBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20\nleft shift of 1 by 31 places cannot be represented in type \u0027int\u0027\n \u003cTASK\u003e\n dump_stack_lvl+0x7d/0xa5\n dump_stack+0x15/0x1b\n ubsan_epilogue+0xe/0x4e\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\n get_default_font+0x1c7/0x1f0\n fbcon_startup+0x347/0x3a0\n do_take_over_console+0xce/0x270\n do_fbcon_takeover+0xa1/0x170\n do_fb_registered+0x2a8/0x340\n fbcon_fb_registered+0x47/0xe0\n register_framebuffer+0x294/0x4a0\n __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]\n drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]\n drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]\n drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]\n bochs_pci_probe+0x6ca/0x772 [bochs]\n local_pci_probe+0x4d/0xb0\n pci_device_probe+0x119/0x320\n really_probe+0x181/0x550\n __driver_probe_device+0xc6/0x220\n driver_probe_device+0x32/0x100\n __driver_attach+0x195/0x200\n bus_for_each_dev+0xbb/0x120\n driver_attach+0x27/0x30\n bus_add_driver+0x22e/0x2f0\n driver_register+0xa9/0x190\n __pci_register_driver+0x90/0xa0\n bochs_pci_driver_init+0x52/0x1000 [bochs]\n do_one_initcall+0x76/0x430\n do_init_module+0x61/0x28a\n load_module+0x1f82/0x2e50\n __do_sys_finit_module+0xf8/0x190\n __x64_sys_finit_module+0x23/0x30\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:08.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e039929e36818507e90901edae87f6fa8bc81093"
},
{
"url": "https://git.kernel.org/stable/c/c9a9aa02f0fa3318e0ae5774f404419a1b4759ca"
},
{
"url": "https://git.kernel.org/stable/c/e83b47580a0738361772d6f24286adfdaba57e36"
},
{
"url": "https://git.kernel.org/stable/c/9c14a85e18a58c102ec223144b7edb5b345c1bea"
},
{
"url": "https://git.kernel.org/stable/c/890d91b31f4874361e0df047f57d268a7021cb12"
},
{
"url": "https://git.kernel.org/stable/c/6fe888c4d2fb174408e4540bb2d5602b9f507f90"
}
],
"title": "lib/fonts: fix undefined behavior in bit shift for get_default_font",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50511",
"datePublished": "2025-10-07T15:19:08.159Z",
"dateReserved": "2025-10-07T15:11:44.887Z",
"dateUpdated": "2025-10-07T15:19:08.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53656 (GCVE-0-2023-53656)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers/perf: hisi: Don't migrate perf to the CPU going to teardown
The driver needs to migrate the perf context if the current using CPU going
to teardown. By the time calling the cpuhp::teardown() callback the
cpu_online_mask() hasn't updated yet and still includes the CPU going to
teardown. In current driver's implementation we may migrate the context
to the teardown CPU and leads to the below calltrace:
...
[ 368.104662][ T932] task:cpuhp/0 state:D stack: 0 pid: 15 ppid: 2 flags:0x00000008
[ 368.113699][ T932] Call trace:
[ 368.116834][ T932] __switch_to+0x7c/0xbc
[ 368.120924][ T932] __schedule+0x338/0x6f0
[ 368.125098][ T932] schedule+0x50/0xe0
[ 368.128926][ T932] schedule_preempt_disabled+0x18/0x24
[ 368.134229][ T932] __mutex_lock.constprop.0+0x1d4/0x5dc
[ 368.139617][ T932] __mutex_lock_slowpath+0x1c/0x30
[ 368.144573][ T932] mutex_lock+0x50/0x60
[ 368.148579][ T932] perf_pmu_migrate_context+0x84/0x2b0
[ 368.153884][ T932] hisi_pcie_pmu_offline_cpu+0x90/0xe0 [hisi_pcie_pmu]
[ 368.160579][ T932] cpuhp_invoke_callback+0x2a0/0x650
[ 368.165707][ T932] cpuhp_thread_fun+0xe4/0x190
[ 368.170316][ T932] smpboot_thread_fn+0x15c/0x1a0
[ 368.175099][ T932] kthread+0x108/0x13c
[ 368.179012][ T932] ret_from_fork+0x10/0x18
...
Use function cpumask_any_but() to find one correct active cpu to fixes
this issue.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/hisilicon/hisi_pcie_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be9c8c9c84b6d25a7b7d39954030aba6f759feb6",
"status": "affected",
"version": "8404b0fbc7fbd42e5c5d28cdedd450e70829c77a",
"versionType": "git"
},
{
"lessThan": "f564e543a43d0f1cabac791672c8a6fc78ce12d0",
"status": "affected",
"version": "8404b0fbc7fbd42e5c5d28cdedd450e70829c77a",
"versionType": "git"
},
{
"lessThan": "b64569897d86b611befbb895d815280fea94e1ed",
"status": "affected",
"version": "8404b0fbc7fbd42e5c5d28cdedd450e70829c77a",
"versionType": "git"
},
{
"lessThan": "7a6a9f1c5a0a875a421db798d4b2ee022dc1ee1a",
"status": "affected",
"version": "8404b0fbc7fbd42e5c5d28cdedd450e70829c77a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/hisilicon/hisi_pcie_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: Don\u0027t migrate perf to the CPU going to teardown\n\nThe driver needs to migrate the perf context if the current using CPU going\nto teardown. By the time calling the cpuhp::teardown() callback the\ncpu_online_mask() hasn\u0027t updated yet and still includes the CPU going to\nteardown. In current driver\u0027s implementation we may migrate the context\nto the teardown CPU and leads to the below calltrace:\n\n...\n[ 368.104662][ T932] task:cpuhp/0 state:D stack: 0 pid: 15 ppid: 2 flags:0x00000008\n[ 368.113699][ T932] Call trace:\n[ 368.116834][ T932] __switch_to+0x7c/0xbc\n[ 368.120924][ T932] __schedule+0x338/0x6f0\n[ 368.125098][ T932] schedule+0x50/0xe0\n[ 368.128926][ T932] schedule_preempt_disabled+0x18/0x24\n[ 368.134229][ T932] __mutex_lock.constprop.0+0x1d4/0x5dc\n[ 368.139617][ T932] __mutex_lock_slowpath+0x1c/0x30\n[ 368.144573][ T932] mutex_lock+0x50/0x60\n[ 368.148579][ T932] perf_pmu_migrate_context+0x84/0x2b0\n[ 368.153884][ T932] hisi_pcie_pmu_offline_cpu+0x90/0xe0 [hisi_pcie_pmu]\n[ 368.160579][ T932] cpuhp_invoke_callback+0x2a0/0x650\n[ 368.165707][ T932] cpuhp_thread_fun+0xe4/0x190\n[ 368.170316][ T932] smpboot_thread_fn+0x15c/0x1a0\n[ 368.175099][ T932] kthread+0x108/0x13c\n[ 368.179012][ T932] ret_from_fork+0x10/0x18\n...\n\nUse function cpumask_any_but() to find one correct active cpu to fixes\nthis issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:17.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be9c8c9c84b6d25a7b7d39954030aba6f759feb6"
},
{
"url": "https://git.kernel.org/stable/c/f564e543a43d0f1cabac791672c8a6fc78ce12d0"
},
{
"url": "https://git.kernel.org/stable/c/b64569897d86b611befbb895d815280fea94e1ed"
},
{
"url": "https://git.kernel.org/stable/c/7a6a9f1c5a0a875a421db798d4b2ee022dc1ee1a"
}
],
"title": "drivers/perf: hisi: Don\u0027t migrate perf to the CPU going to teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53656",
"datePublished": "2025-10-07T15:21:17.572Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:21:17.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50553 (GCVE-0-2022-50553)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'
When generate a synthetic event with many params and then create a trace
action for it [1], kernel panic happened [2].
It is because that in trace_action_create() 'data->n_params' is up to
SYNTH_FIELDS_MAX (current value is 64), and array 'data->var_ref_idx'
keeps indices into array 'hist_data->var_refs' for each synthetic event
param, but the length of 'data->var_ref_idx' is TRACING_MAP_VARS_MAX
(current value is 16), so out-of-bound write happened when 'data->n_params'
more than 16. In this case, 'data->match_data.event' is overwritten and
eventually cause the panic.
To solve the issue, adjust the length of 'data->var_ref_idx' to be
SYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.
[1]
# cd /sys/kernel/tracing/
# echo "my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\
int v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\
int v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\
int v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\
int v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\
int v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\
int v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\
int v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\
int v63" >> synthetic_events
# echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="bash"' >> \
events/sched/sched_waking/trigger
# echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid)" >> events/sched/sched_switch/trigger
[2]
BUG: unable to handle page fault for address: ffff91c900000000
PGD 61001067 P4D 61001067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 322 Comm: bash Tainted: G W 6.1.0-rc8+ #229
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:strcmp+0xc/0x30
Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee
c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14
07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3
RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000
RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000
R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580
R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538
FS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0
Call Trace:
<TASK>
__find_event_file+0x55/0x90
action_create+0x76c/0x1060
event_hist_trigger_parse+0x146d/0x2060
? event_trigger_write+0x31/0xd0
trigger_process_regex+0xbb/0x110
event_trigger_write+0x6b/0xd0
vfs_write+0xc8/0x3e0
? alloc_fd+0xc0/0x160
? preempt_count_add+0x4d/0xa0
? preempt_count_add+0x70/0xa0
ksys_write+0x5f/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1d1d0cf077
Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e
fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74
RSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077
RDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001
RBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142
R
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 38b67e60b6b582e81f9db1b2e7176cbbfbd3e574 Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: c78a2baf5e1fe1b38121d6b54bab77ccb81a1a86 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf79d5410a569dad1d4112b5c3c02383cca8213a",
"status": "affected",
"version": "38b67e60b6b582e81f9db1b2e7176cbbfbd3e574",
"versionType": "git"
},
{
"lessThan": "0cb31bd88361edb96cfc622648717ba348f0f4dc",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"lessThan": "15697f653399253f9be4ed2a1e03d795f3cfee94",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"lessThan": "b4efdc219fb8cfa066c7042e636ab8ad6d7e7494",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"lessThan": "04241956ce8825ff06e06e4083e7b692e9d5f712",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"lessThan": "82470f7d9044842618c847a7166de2b7458157a7",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"status": "affected",
"version": "c78a2baf5e1fe1b38121d6b54bab77ccb81a1a86",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/hist: Fix out-of-bound write on \u0027action_data.var_ref_idx\u0027\n\nWhen generate a synthetic event with many params and then create a trace\naction for it [1], kernel panic happened [2].\n\nIt is because that in trace_action_create() \u0027data-\u003en_params\u0027 is up to\nSYNTH_FIELDS_MAX (current value is 64), and array \u0027data-\u003evar_ref_idx\u0027\nkeeps indices into array \u0027hist_data-\u003evar_refs\u0027 for each synthetic event\nparam, but the length of \u0027data-\u003evar_ref_idx\u0027 is TRACING_MAP_VARS_MAX\n(current value is 16), so out-of-bound write happened when \u0027data-\u003en_params\u0027\nmore than 16. In this case, \u0027data-\u003ematch_data.event\u0027 is overwritten and\neventually cause the panic.\n\nTo solve the issue, adjust the length of \u0027data-\u003evar_ref_idx\u0027 to be\nSYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.\n\n[1]\n # cd /sys/kernel/tracing/\n # echo \"my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\\\nint v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\\\nint v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\\\nint v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\\\nint v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\\\nint v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\\\nint v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\\\nint v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\\\nint v63\" \u003e\u003e synthetic_events\n # echo \u0027hist:keys=pid:ts0=common_timestamp.usecs if comm==\"bash\"\u0027 \u003e\u003e \\\nevents/sched/sched_waking/trigger\n # echo \"hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid)\" \u003e\u003e events/sched/sched_switch/trigger\n\n[2]\nBUG: unable to handle page fault for address: ffff91c900000000\nPGD 61001067 P4D 61001067 PUD 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 2 PID: 322 Comm: bash Tainted: G W 6.1.0-rc8+ #229\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:strcmp+0xc/0x30\nCode: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee\nc3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 \u003c0f\u003e b6 14\n07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3\nRSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000\nRBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000\nR10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580\nR13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538\nFS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0\nCall Trace:\n \u003cTASK\u003e\n __find_event_file+0x55/0x90\n action_create+0x76c/0x1060\n event_hist_trigger_parse+0x146d/0x2060\n ? event_trigger_write+0x31/0xd0\n trigger_process_regex+0xbb/0x110\n event_trigger_write+0x6b/0xd0\n vfs_write+0xc8/0x3e0\n ? alloc_fd+0xc0/0x160\n ? preempt_count_add+0x4d/0xa0\n ? preempt_count_add+0x70/0xa0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f1d1d0cf077\nCode: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e\nfa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00\nf0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74\nRSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077\nRDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001\nRBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142\nR\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:14.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf79d5410a569dad1d4112b5c3c02383cca8213a"
},
{
"url": "https://git.kernel.org/stable/c/0cb31bd88361edb96cfc622648717ba348f0f4dc"
},
{
"url": "https://git.kernel.org/stable/c/15697f653399253f9be4ed2a1e03d795f3cfee94"
},
{
"url": "https://git.kernel.org/stable/c/b4efdc219fb8cfa066c7042e636ab8ad6d7e7494"
},
{
"url": "https://git.kernel.org/stable/c/04241956ce8825ff06e06e4083e7b692e9d5f712"
},
{
"url": "https://git.kernel.org/stable/c/82470f7d9044842618c847a7166de2b7458157a7"
}
],
"title": "tracing/hist: Fix out-of-bound write on \u0027action_data.var_ref_idx\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50553",
"datePublished": "2025-10-07T15:21:14.729Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-10-07T15:21:14.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50528 (GCVE-0-2022-50528)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix memory leakage
This patch fixes potential memory leakage and seg fault
in _gpuvm_import_dmabuf() function
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8876793e56ec69b3be2a883b4bc440df3dbb1865",
"status": "affected",
"version": "d4ec4bdc0bd5ad352854473ba4dcbdb39fd5bfdd",
"versionType": "git"
},
{
"lessThan": "7356d8e367d0e025a568e369c4cf575722cac60f",
"status": "affected",
"version": "d4ec4bdc0bd5ad352854473ba4dcbdb39fd5bfdd",
"versionType": "git"
},
{
"lessThan": "c65564790048fa416ccd26a8945c7ec0cf9ef0b7",
"status": "affected",
"version": "d4ec4bdc0bd5ad352854473ba4dcbdb39fd5bfdd",
"versionType": "git"
},
{
"lessThan": "75818afff631e1ea785a82c3e8bb82eb0dee539c",
"status": "affected",
"version": "d4ec4bdc0bd5ad352854473ba4dcbdb39fd5bfdd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix memory leakage\n\nThis patch fixes potential memory leakage and seg fault\nin _gpuvm_import_dmabuf() function"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:19.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8876793e56ec69b3be2a883b4bc440df3dbb1865"
},
{
"url": "https://git.kernel.org/stable/c/7356d8e367d0e025a568e369c4cf575722cac60f"
},
{
"url": "https://git.kernel.org/stable/c/c65564790048fa416ccd26a8945c7ec0cf9ef0b7"
},
{
"url": "https://git.kernel.org/stable/c/75818afff631e1ea785a82c3e8bb82eb0dee539c"
}
],
"title": "drm/amdkfd: Fix memory leakage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50528",
"datePublished": "2025-10-07T15:19:19.909Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:19.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50538 (GCVE-0-2022-50538)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vme: Fix error not catched in fake_init()
In fake_init(), __root_device_register() is possible to fail but it's
ignored, which can cause unregistering vme_root fail when exit.
general protection fault,
probably for non-canonical address 0xdffffc000000008c
KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467]
RIP: 0010:root_device_unregister+0x26/0x60
Call Trace:
<TASK>
__x64_sys_delete_module+0x34f/0x540
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Return error when __root_device_register() fails.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a Version: 658bcdae9c6755806e66b33e29d56b33a3ff421a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/vme_user/vme_fake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e831fdd60e5863ee03173baf5a0f7c5450b44381",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
},
{
"lessThan": "69b43937f14bdc3594f57f1a507a14f3d1187136",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
},
{
"lessThan": "09be0e7ac5f9374b6f8de72c89ed67129af71f65",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
},
{
"lessThan": "f3f65c4177846c483bf009f8c512ab04b3c62466",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
},
{
"lessThan": "37d3de40c1ffb6a5e626bf46ff5ef5766c824e2c",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
},
{
"lessThan": "4bc217b25ea81034fad8e33fd33e4659f086421d",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
},
{
"lessThan": "a2a93546d414c7fe4862b87183fb737d1300d9d2",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
},
{
"lessThan": "60ff9bd4ffc87bace581e235a6728f5ac8e5071f",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
},
{
"lessThan": "7bef797d707f1744f71156b21d41e3b8c946631f",
"status": "affected",
"version": "658bcdae9c6755806e66b33e29d56b33a3ff421a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/vme_user/vme_fake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvme: Fix error not catched in fake_init()\n\nIn fake_init(), __root_device_register() is possible to fail but it\u0027s\nignored, which can cause unregistering vme_root fail when exit.\n\n general protection fault,\n probably for non-canonical address 0xdffffc000000008c\n KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467]\n RIP: 0010:root_device_unregister+0x26/0x60\n Call Trace:\n \u003cTASK\u003e\n __x64_sys_delete_module+0x34f/0x540\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nReturn error when __root_device_register() fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:04.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e831fdd60e5863ee03173baf5a0f7c5450b44381"
},
{
"url": "https://git.kernel.org/stable/c/69b43937f14bdc3594f57f1a507a14f3d1187136"
},
{
"url": "https://git.kernel.org/stable/c/09be0e7ac5f9374b6f8de72c89ed67129af71f65"
},
{
"url": "https://git.kernel.org/stable/c/f3f65c4177846c483bf009f8c512ab04b3c62466"
},
{
"url": "https://git.kernel.org/stable/c/37d3de40c1ffb6a5e626bf46ff5ef5766c824e2c"
},
{
"url": "https://git.kernel.org/stable/c/4bc217b25ea81034fad8e33fd33e4659f086421d"
},
{
"url": "https://git.kernel.org/stable/c/a2a93546d414c7fe4862b87183fb737d1300d9d2"
},
{
"url": "https://git.kernel.org/stable/c/60ff9bd4ffc87bace581e235a6728f5ac8e5071f"
},
{
"url": "https://git.kernel.org/stable/c/7bef797d707f1744f71156b21d41e3b8c946631f"
}
],
"title": "vme: Fix error not catched in fake_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50538",
"datePublished": "2025-10-07T15:21:04.428Z",
"dateReserved": "2025-10-07T15:15:38.666Z",
"dateUpdated": "2025-10-07T15:21:04.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50520 (GCVE-0-2022-50520)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
As comment of pci_get_class() says, it returns a pci_device with its
refcount increased and decreased the refcount for the input parameter
@from if it is not NULL.
If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we
need to call pci_dev_put() to decrease the refcount. Add the missing
pci_dev_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: 61ebf0a926149cc161131470cf848cb70b3d6fe6 Version: 0a1d9a860832a5ca43114cdebf0e8650463cc1f0 Version: 5f54f145719f453dccc73304cd427096bf7b806c Version: 063ab9cb6308a0806d623c8d6dda5cb2b3b87fce |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_bios.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f28c7f67af4ef9bca580ab67ae2d4511797af56",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "e738f82e5b1311e8fb3d1409491a6fcce6418fbe",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "1079df6acf56f99d86b0081a38c84701412cc90e",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "470a77989037c3ab2b08bf2d026d2c0ddc35ff5b",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "3991d98a8a07b71c02f3a39f77d6d9a7f575a5c4",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "88c6e0995c04b170563b5c894c50a3b2152e18c2",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "b9decada8749b606fd8b4f04a3d6c74f7983d7bc",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "a6cffe54064a5f6c2162a85af3c16c6b453eac4e",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "725a521a18734f65de05b8d353b5bd0d3ca4c37a",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"status": "affected",
"version": "61ebf0a926149cc161131470cf848cb70b3d6fe6",
"versionType": "git"
},
{
"status": "affected",
"version": "0a1d9a860832a5ca43114cdebf0e8650463cc1f0",
"versionType": "git"
},
{
"status": "affected",
"version": "5f54f145719f453dccc73304cd427096bf7b806c",
"versionType": "git"
},
{
"status": "affected",
"version": "063ab9cb6308a0806d623c8d6dda5cb2b3b87fce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_bios.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.60",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()\n\nAs comment of pci_get_class() says, it returns a pci_device with its\nrefcount increased and decreased the refcount for the input parameter\n@from if it is not NULL.\n\nIf we break the loop in radeon_atrm_get_bios() with \u0027pdev\u0027 not NULL, we\nneed to call pci_dev_put() to decrease the refcount. Add the missing\npci_dev_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:14.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f28c7f67af4ef9bca580ab67ae2d4511797af56"
},
{
"url": "https://git.kernel.org/stable/c/e738f82e5b1311e8fb3d1409491a6fcce6418fbe"
},
{
"url": "https://git.kernel.org/stable/c/1079df6acf56f99d86b0081a38c84701412cc90e"
},
{
"url": "https://git.kernel.org/stable/c/470a77989037c3ab2b08bf2d026d2c0ddc35ff5b"
},
{
"url": "https://git.kernel.org/stable/c/3991d98a8a07b71c02f3a39f77d6d9a7f575a5c4"
},
{
"url": "https://git.kernel.org/stable/c/88c6e0995c04b170563b5c894c50a3b2152e18c2"
},
{
"url": "https://git.kernel.org/stable/c/b9decada8749b606fd8b4f04a3d6c74f7983d7bc"
},
{
"url": "https://git.kernel.org/stable/c/a6cffe54064a5f6c2162a85af3c16c6b453eac4e"
},
{
"url": "https://git.kernel.org/stable/c/725a521a18734f65de05b8d353b5bd0d3ca4c37a"
}
],
"title": "drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50520",
"datePublished": "2025-10-07T15:19:14.528Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:14.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50525 (GCVE-0-2022-50525)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
The fsl_pamu_probe() returns directly when create_csd() failed, leaving
irq and memories unreleased.
Fix by jumping to error if create_csd() returns error.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/fsl_pamu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c93983230562883e0b5f122040efbb3d478c36d4",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "a305d0e4d0ce3166e31d7dbcb4c98b09cad6d49a",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "9fbccdf2fefa3944dd8ba8c6a808b387787f3917",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "17fd440594961c5e2ea0f58591bc1bdba0629c75",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "0d240ac0e4c35d3f64fc782c11433138c1bd016e",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "e42b543d08052c3b223bcfb48f05cbaf0b767f86",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "9238b687fd62cde14c6e2e8576a40e4246de7ebe",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "de7eb55009796687fc0a1670e0b944fa8ed54e9b",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "73f5fc5f884ad0c5f7d57f66303af64f9f002526",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/fsl_pamu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()\n\nThe fsl_pamu_probe() returns directly when create_csd() failed, leaving\nirq and memories unreleased.\nFix by jumping to error if create_csd() returns error."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:17.929Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c93983230562883e0b5f122040efbb3d478c36d4"
},
{
"url": "https://git.kernel.org/stable/c/a305d0e4d0ce3166e31d7dbcb4c98b09cad6d49a"
},
{
"url": "https://git.kernel.org/stable/c/9fbccdf2fefa3944dd8ba8c6a808b387787f3917"
},
{
"url": "https://git.kernel.org/stable/c/17fd440594961c5e2ea0f58591bc1bdba0629c75"
},
{
"url": "https://git.kernel.org/stable/c/0d240ac0e4c35d3f64fc782c11433138c1bd016e"
},
{
"url": "https://git.kernel.org/stable/c/e42b543d08052c3b223bcfb48f05cbaf0b767f86"
},
{
"url": "https://git.kernel.org/stable/c/9238b687fd62cde14c6e2e8576a40e4246de7ebe"
},
{
"url": "https://git.kernel.org/stable/c/de7eb55009796687fc0a1670e0b944fa8ed54e9b"
},
{
"url": "https://git.kernel.org/stable/c/73f5fc5f884ad0c5f7d57f66303af64f9f002526"
}
],
"title": "iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50525",
"datePublished": "2025-10-07T15:19:17.929Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:17.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50536 (GCVE-0-2022-50536)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
In tcp_bpf_send_verdict() redirection, the eval variable is assigned to
__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,
sock_put() will be called multiple times.
We should reset the eval variable to __SK_NONE every time more_data
starts.
This causes:
IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110
Modules linked in:
CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1
Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014
Call Trace:
<TASK>
__tcp_transmit_skb+0xa1b/0xb90
? __alloc_skb+0x8c/0x1a0
? __kmalloc_node_track_caller+0x184/0x320
tcp_write_xmit+0x22a/0x1110
__tcp_push_pending_frames+0x32/0xf0
do_tcp_sendpages+0x62d/0x640
tcp_bpf_push+0xae/0x2c0
tcp_bpf_sendmsg_redir+0x260/0x410
? preempt_count_add+0x70/0xa0
tcp_bpf_send_verdict+0x386/0x4b0
tcp_bpf_sendmsg+0x21b/0x3b0
sock_sendmsg+0x58/0x70
__sys_sendto+0xfa/0x170
? xfd_validate_state+0x1d/0x80
? switch_fpu_return+0x59/0xe0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5f0bfe21c853917aae4bc5a70fe57ddb4054443e Version: 15dec6d8f8642a26d6a272af2d7f9877df8f02b8 Version: cd9733f5d75c94a32544d6ce5be47e14194cf137 Version: cd9733f5d75c94a32544d6ce5be47e14194cf137 Version: cd9733f5d75c94a32544d6ce5be47e14194cf137 Version: cd9733f5d75c94a32544d6ce5be47e14194cf137 Version: 6f226ffe4458ea3b8c33287cb8c86f87dc198dce |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7508b9f4daac4ec7dfe0b6fb2d688b1c1c105e10",
"status": "affected",
"version": "5f0bfe21c853917aae4bc5a70fe57ddb4054443e",
"versionType": "git"
},
{
"lessThan": "28e4a763cd4a2b1a78852216ef4bd7df3a05cec6",
"status": "affected",
"version": "15dec6d8f8642a26d6a272af2d7f9877df8f02b8",
"versionType": "git"
},
{
"lessThan": "8786bde11a4f31b63b3036731df0b47337a7a245",
"status": "affected",
"version": "cd9733f5d75c94a32544d6ce5be47e14194cf137",
"versionType": "git"
},
{
"lessThan": "578a7628b838a3ac8ad61deaab5a816ff032ac13",
"status": "affected",
"version": "cd9733f5d75c94a32544d6ce5be47e14194cf137",
"versionType": "git"
},
{
"lessThan": "113236e8f49f262f318c00ebb14b15f4834e87c1",
"status": "affected",
"version": "cd9733f5d75c94a32544d6ce5be47e14194cf137",
"versionType": "git"
},
{
"lessThan": "7a9841ca025275b5b0edfb0b618934abb6ceec15",
"status": "affected",
"version": "cd9733f5d75c94a32544d6ce5be47e14194cf137",
"versionType": "git"
},
{
"status": "affected",
"version": "6f226ffe4458ea3b8c33287cb8c86f87dc198dce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix repeated calls to sock_put() when msg has more_data\n\nIn tcp_bpf_send_verdict() redirection, the eval variable is assigned to\n__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,\nsock_put() will be called multiple times.\n\nWe should reset the eval variable to __SK_NONE every time more_data\nstarts.\n\nThis causes:\n\nIPv4: Attempt to release TCP socket in state 1 00000000b4c925d7\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110\nModules linked in:\nCPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1\nHardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __tcp_transmit_skb+0xa1b/0xb90\n ? __alloc_skb+0x8c/0x1a0\n ? __kmalloc_node_track_caller+0x184/0x320\n tcp_write_xmit+0x22a/0x1110\n __tcp_push_pending_frames+0x32/0xf0\n do_tcp_sendpages+0x62d/0x640\n tcp_bpf_push+0xae/0x2c0\n tcp_bpf_sendmsg_redir+0x260/0x410\n ? preempt_count_add+0x70/0xa0\n tcp_bpf_send_verdict+0x386/0x4b0\n tcp_bpf_sendmsg+0x21b/0x3b0\n sock_sendmsg+0x58/0x70\n __sys_sendto+0xfa/0x170\n ? xfd_validate_state+0x1d/0x80\n ? switch_fpu_return+0x59/0xe0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:03.056Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7508b9f4daac4ec7dfe0b6fb2d688b1c1c105e10"
},
{
"url": "https://git.kernel.org/stable/c/28e4a763cd4a2b1a78852216ef4bd7df3a05cec6"
},
{
"url": "https://git.kernel.org/stable/c/8786bde11a4f31b63b3036731df0b47337a7a245"
},
{
"url": "https://git.kernel.org/stable/c/578a7628b838a3ac8ad61deaab5a816ff032ac13"
},
{
"url": "https://git.kernel.org/stable/c/113236e8f49f262f318c00ebb14b15f4834e87c1"
},
{
"url": "https://git.kernel.org/stable/c/7a9841ca025275b5b0edfb0b618934abb6ceec15"
}
],
"title": "bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50536",
"datePublished": "2025-10-07T15:21:03.056Z",
"dateReserved": "2025-10-07T15:15:38.666Z",
"dateUpdated": "2025-10-07T15:21:03.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53660 (GCVE-0-2023-53660)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, cpumap: Handle skb as well when clean up ptr_ring
The following warning was reported when running xdp_redirect_cpu with
both skb-mode and stress-mode enabled:
------------[ cut here ]------------
Incorrect XDP memory type (-2128176192) usage
WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405
Modules linked in:
CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Workqueue: events __cpu_map_entry_free
RIP: 0010:__xdp_return+0x1e4/0x4a0
......
Call Trace:
<TASK>
? show_regs+0x65/0x70
? __warn+0xa5/0x240
? __xdp_return+0x1e4/0x4a0
......
xdp_return_frame+0x4d/0x150
__cpu_map_entry_free+0xf9/0x230
process_one_work+0x6b0/0xb80
worker_thread+0x96/0x720
kthread+0x1a5/0x1f0
ret_from_fork+0x3a/0x70
ret_from_fork_asm+0x1b/0x30
</TASK>
The reason for the warning is twofold. One is due to the kthread
cpu_map_kthread_run() is stopped prematurely. Another one is
__cpu_map_ring_cleanup() doesn't handle skb mode and treats skbs in
ptr_ring as XDP frames.
Prematurely-stopped kthread will be fixed by the preceding patch and
ptr_ring will be empty when __cpu_map_ring_cleanup() is called. But
as the comments in __cpu_map_ring_cleanup() said, handling and freeing
skbs in ptr_ring as well to "catch any broken behaviour gracefully".
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cpumap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b58d34068fd9f96bfc7d389988dfaf9a92a8fe00",
"status": "affected",
"version": "11941f8a85362f612df61f4aaab0e41b64d2111d",
"versionType": "git"
},
{
"lessThan": "cbd000451885801e9bbfd9cf7a7946806a85cb5e",
"status": "affected",
"version": "11941f8a85362f612df61f4aaab0e41b64d2111d",
"versionType": "git"
},
{
"lessThan": "937345720d18f1ad006ba3d5dcb3fa121037b8a2",
"status": "affected",
"version": "11941f8a85362f612df61f4aaab0e41b64d2111d",
"versionType": "git"
},
{
"lessThan": "7c62b75cd1a792e14b037fa4f61f9b18914e7de1",
"status": "affected",
"version": "11941f8a85362f612df61f4aaab0e41b64d2111d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cpumap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Handle skb as well when clean up ptr_ring\n\nThe following warning was reported when running xdp_redirect_cpu with\nboth skb-mode and stress-mode enabled:\n\n ------------[ cut here ]------------\n Incorrect XDP memory type (-2128176192) usage\n WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405\n Modules linked in:\n CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: events __cpu_map_entry_free\n RIP: 0010:__xdp_return+0x1e4/0x4a0\n ......\n Call Trace:\n \u003cTASK\u003e\n ? show_regs+0x65/0x70\n ? __warn+0xa5/0x240\n ? __xdp_return+0x1e4/0x4a0\n ......\n xdp_return_frame+0x4d/0x150\n __cpu_map_entry_free+0xf9/0x230\n process_one_work+0x6b0/0xb80\n worker_thread+0x96/0x720\n kthread+0x1a5/0x1f0\n ret_from_fork+0x3a/0x70\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nThe reason for the warning is twofold. One is due to the kthread\ncpu_map_kthread_run() is stopped prematurely. Another one is\n__cpu_map_ring_cleanup() doesn\u0027t handle skb mode and treats skbs in\nptr_ring as XDP frames.\n\nPrematurely-stopped kthread will be fixed by the preceding patch and\nptr_ring will be empty when __cpu_map_ring_cleanup() is called. But\nas the comments in __cpu_map_ring_cleanup() said, handling and freeing\nskbs in ptr_ring as well to \"catch any broken behaviour gracefully\"."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:20.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b58d34068fd9f96bfc7d389988dfaf9a92a8fe00"
},
{
"url": "https://git.kernel.org/stable/c/cbd000451885801e9bbfd9cf7a7946806a85cb5e"
},
{
"url": "https://git.kernel.org/stable/c/937345720d18f1ad006ba3d5dcb3fa121037b8a2"
},
{
"url": "https://git.kernel.org/stable/c/7c62b75cd1a792e14b037fa4f61f9b18914e7de1"
}
],
"title": "bpf, cpumap: Handle skb as well when clean up ptr_ring",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53660",
"datePublished": "2025-10-07T15:21:20.307Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:20.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53676 (GCVE-0-2023-53676)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
The function lio_target_nacl_info_show() uses sprintf() in a loop to print
details for every iSCSI connection in a session without checking for the
buffer length. With enough iSCSI connections it's possible to overflow the
buffer provided by configfs and corrupt the memory.
This patch replaces sprintf() with sysfs_emit_at() that checks for buffer
boundries.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df349e84c2cb0dd05d98c8e1189c26ab4b116083",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "114b44dddea1f8f99576de3c0e6e9059012002fc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5353df78c22623b42a71d51226d228a8413097e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4738bf8b2d3635c2944b81b2a84d97b8c8b0978d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0cac6cbb9908309352a5d30c1876882771d3da50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "801f287c93ff95582b0a2d2163f12870a2f076d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()\n\nThe function lio_target_nacl_info_show() uses sprintf() in a loop to print\ndetails for every iSCSI connection in a session without checking for the\nbuffer length. With enough iSCSI connections it\u0027s possible to overflow the\nbuffer provided by configfs and corrupt the memory.\n\nThis patch replaces sprintf() with sysfs_emit_at() that checks for buffer\nboundries."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:31.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df349e84c2cb0dd05d98c8e1189c26ab4b116083"
},
{
"url": "https://git.kernel.org/stable/c/114b44dddea1f8f99576de3c0e6e9059012002fc"
},
{
"url": "https://git.kernel.org/stable/c/2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6"
},
{
"url": "https://git.kernel.org/stable/c/bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a"
},
{
"url": "https://git.kernel.org/stable/c/5353df78c22623b42a71d51226d228a8413097e2"
},
{
"url": "https://git.kernel.org/stable/c/4738bf8b2d3635c2944b81b2a84d97b8c8b0978d"
},
{
"url": "https://git.kernel.org/stable/c/0cac6cbb9908309352a5d30c1876882771d3da50"
},
{
"url": "https://git.kernel.org/stable/c/801f287c93ff95582b0a2d2163f12870a2f076d4"
}
],
"title": "scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53676",
"datePublished": "2025-10-07T15:21:31.757Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:31.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53649 (GCVE-0-2023-53649)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf trace: Really free the evsel->priv area
In 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields in
evsel->priv") it only was freeing if strcmp(evsel->tp_format->system,
"syscalls") returned zero, while the corresponding initialization of
evsel->priv was being performed if it was _not_ zero, i.e. if the tp
system wasn't 'syscalls'.
Just stop looking for that and free it if evsel->priv was set, which
should be equivalent.
Also use the pre-existing evsel_trace__delete() function.
This resolves these leaks, detected with:
$ make EXTRA_CFLAGS="-fsanitize=address" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin
=================================================================
==481565==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)
#1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)
#2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307
#3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333
#4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458
#5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480
#6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212
#7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891
#8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156
#9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323
#10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377
#11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421
#12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537
#13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)
#1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)
#2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307
#3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333
#4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458
#5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480
#6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205
#7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891
#8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156
#9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323
#10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377
#11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421
#12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537
#13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).
[root@quaco ~]#
With this we plug all leaks with "perf trace sleep 1".
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"tools/perf/builtin-trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3bc668581e71e7c3bc7eb1d647f25f8db222163",
"status": "affected",
"version": "3cb4d5e00e037c70f239173bdd399a7e6040830f",
"versionType": "git"
},
{
"lessThan": "62dd514c34be63d3d5cae1f52a7e8b96c6dd6630",
"status": "affected",
"version": "3cb4d5e00e037c70f239173bdd399a7e6040830f",
"versionType": "git"
},
{
"lessThan": "27f396f64537b1ae48d0644d7cbf0d250b3c0b33",
"status": "affected",
"version": "3cb4d5e00e037c70f239173bdd399a7e6040830f",
"versionType": "git"
},
{
"lessThan": "7962ef13651a9163f07b530607392ea123482e8a",
"status": "affected",
"version": "3cb4d5e00e037c70f239173bdd399a7e6040830f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"tools/perf/builtin-trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf trace: Really free the evsel-\u003epriv area\n\nIn 3cb4d5e00e037c70 (\"perf trace: Free syscall tp fields in\nevsel-\u003epriv\") it only was freeing if strcmp(evsel-\u003etp_format-\u003esystem,\n\"syscalls\") returned zero, while the corresponding initialization of\nevsel-\u003epriv was being performed if it was _not_ zero, i.e. if the tp\nsystem wasn\u0027t \u0027syscalls\u0027.\n\nJust stop looking for that and free it if evsel-\u003epriv was set, which\nshould be equivalent.\n\nAlso use the pre-existing evsel_trace__delete() function.\n\nThis resolves these leaks, detected with:\n\n $ make EXTRA_CFLAGS=\"-fsanitize=address\" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin\n\n =================================================================\n ==481565==ERROR: LeakSanitizer: detected memory leaks\n\n Direct leak of 40 byte(s) in 1 object(s) allocated from:\n #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)\n #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)\n #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307\n #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333\n #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458\n #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480\n #6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212\n #7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891\n #8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156\n #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323\n #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377\n #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421\n #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537\n #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\n\n Direct leak of 40 byte(s) in 1 object(s) allocated from:\n #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)\n #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)\n #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307\n #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333\n #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458\n #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480\n #6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205\n #7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891\n #8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156\n #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323\n #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377\n #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421\n #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537\n #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\n\n SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).\n [root@quaco ~]#\n\nWith this we plug all leaks with \"perf trace sleep 1\"."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:46.459Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3bc668581e71e7c3bc7eb1d647f25f8db222163"
},
{
"url": "https://git.kernel.org/stable/c/62dd514c34be63d3d5cae1f52a7e8b96c6dd6630"
},
{
"url": "https://git.kernel.org/stable/c/27f396f64537b1ae48d0644d7cbf0d250b3c0b33"
},
{
"url": "https://git.kernel.org/stable/c/7962ef13651a9163f07b530607392ea123482e8a"
}
],
"title": "perf trace: Really free the evsel-\u003epriv area",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53649",
"datePublished": "2025-10-07T15:19:46.459Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:46.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53681 (GCVE-0-2023-53681)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent
In some specific situations, the return value of __bch_btree_node_alloc
may be NULL. This may lead to a potential NULL pointer dereference in
caller function like a calling chain :
btree_split->bch_btree_node_alloc->__bch_btree_node_alloc.
Fix it by initializing the return value in __bch_btree_node_alloc.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "587b4e8bb5dac682f09280ab35db4632b29d5ac4",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "b070f29a61436f6f8a2e3abc7ea4f4be81695198",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "a4405f6ee03323410d7b10966fd67b35f71b1944",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "f67b0e3081f2a24170280a33ac66f6b112083c03",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "7ecea5ce3dc17339c280c75b58ac93d8c8620d9f",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "4514847aee18d9391a0cf3aad75d3567c72795a4",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "80fca8a10b604afad6c14213fdfd816c4eda3ee4",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: Fix __bch_btree_node_alloc to make the failure behavior consistent\n\nIn some specific situations, the return value of __bch_btree_node_alloc\nmay be NULL. This may lead to a potential NULL pointer dereference in\ncaller function like a calling chain :\nbtree_split-\u003ebch_btree_node_alloc-\u003e__bch_btree_node_alloc.\n\nFix it by initializing the return value in __bch_btree_node_alloc."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:35.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/587b4e8bb5dac682f09280ab35db4632b29d5ac4"
},
{
"url": "https://git.kernel.org/stable/c/b070f29a61436f6f8a2e3abc7ea4f4be81695198"
},
{
"url": "https://git.kernel.org/stable/c/a4405f6ee03323410d7b10966fd67b35f71b1944"
},
{
"url": "https://git.kernel.org/stable/c/f67b0e3081f2a24170280a33ac66f6b112083c03"
},
{
"url": "https://git.kernel.org/stable/c/7ecea5ce3dc17339c280c75b58ac93d8c8620d9f"
},
{
"url": "https://git.kernel.org/stable/c/4514847aee18d9391a0cf3aad75d3567c72795a4"
},
{
"url": "https://git.kernel.org/stable/c/80fca8a10b604afad6c14213fdfd816c4eda3ee4"
}
],
"title": "bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53681",
"datePublished": "2025-10-07T15:21:35.315Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:35.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53629 (GCVE-0-2023-53629)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: dlm: fix use after free in midcomms commit
While working on processing dlm message in softirq context I experienced
the following KASAN use-after-free warning:
[ 151.760477] ==================================================================
[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0
[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347
[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828
[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014
[ 151.768726] Call Trace:
[ 151.769277] <TASK>
[ 151.769748] dump_stack_lvl+0x5b/0x86
[ 151.770556] print_report+0x180/0x4c8
[ 151.771378] ? kasan_complete_mode_report_info+0x7c/0x1e0
[ 151.772241] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0
[ 151.773069] kasan_report+0x93/0x1a0
[ 151.773668] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0
[ 151.774514] __asan_load4+0x7e/0xa0
[ 151.775089] dlm_midcomms_commit_mhandle+0x19d/0x4b0
[ 151.775890] ? create_message.isra.29.constprop.64+0x57/0xc0
[ 151.776770] send_common+0x19f/0x1b0
[ 151.777342] ? remove_from_waiters+0x60/0x60
[ 151.778017] ? lock_downgrade+0x410/0x410
[ 151.778648] ? __this_cpu_preempt_check+0x13/0x20
[ 151.779421] ? rcu_lockdep_current_cpu_online+0x88/0xc0
[ 151.780292] _convert_lock+0x46/0x150
[ 151.780893] convert_lock+0x7b/0xc0
[ 151.781459] dlm_lock+0x3ac/0x580
[ 151.781993] ? 0xffffffffc0540000
[ 151.782522] ? torture_stop+0x120/0x120 [dlm_locktorture]
[ 151.783379] ? dlm_scan_rsbs+0xa70/0xa70
[ 151.784003] ? preempt_count_sub+0xd6/0x130
[ 151.784661] ? is_module_address+0x47/0x70
[ 151.785309] ? torture_stop+0x120/0x120 [dlm_locktorture]
[ 151.786166] ? 0xffffffffc0540000
[ 151.786693] ? lockdep_init_map_type+0xc3/0x360
[ 151.787414] ? 0xffffffffc0540000
[ 151.787947] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]
[ 151.789004] ? torture_stop+0x120/0x120 [dlm_locktorture]
[ 151.789858] ? 0xffffffffc0540000
[ 151.790392] ? lock_torture_cleanup+0x20/0x20 [dlm_locktorture]
[ 151.791347] ? delay_tsc+0x94/0xc0
[ 151.791898] torture_ex_iter+0xc3/0xea [dlm_locktorture]
[ 151.792735] ? torture_start+0x30/0x30 [dlm_locktorture]
[ 151.793606] lock_torture+0x177/0x270 [dlm_locktorture]
[ 151.794448] ? torture_dlm_lock_sync.isra.3+0x150/0x150 [dlm_locktorture]
[ 151.795539] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
[ 151.796476] ? do_raw_spin_lock+0x11e/0x1e0
[ 151.797152] ? mark_held_locks+0x34/0xb0
[ 151.797784] ? _raw_spin_unlock_irqrestore+0x30/0x70
[ 151.798581] ? __kthread_parkme+0x79/0x110
[ 151.799246] ? trace_preempt_on+0x2a/0xf0
[ 151.799902] ? __kthread_parkme+0x79/0x110
[ 151.800579] ? preempt_count_sub+0xd6/0x130
[ 151.801271] ? __kasan_check_read+0x11/0x20
[ 151.801963] ? __kthread_parkme+0xec/0x110
[ 151.802630] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
[ 151.803569] kthread+0x192/0x1d0
[ 151.804104] ? kthread_complete_and_exit+0x30/0x30
[ 151.804881] ret_from_fork+0x1f/0x30
[ 151.805480] </TASK>
[ 151.806111] Allocated by task 1347:
[ 151.806681] kasan_save_stack+0x26/0x50
[ 151.807308] kasan_set_track+0x25/0x30
[ 151.807920] kasan_save_alloc_info+0x1e/0x30
[ 151.808609] __kasan_slab_alloc+0x63/0x80
[ 151.809263] kmem_cache_alloc+0x1ad/0x830
[ 151.809916] dlm_allocate_mhandle+0x17/0x20
[ 151.810590] dlm_midcomms_get_mhandle+0x96/0x260
[ 151.811344] _create_message+0x95/0x180
[ 151.811994] create_message.isra.29.constprop.64+0x57/0xc0
[ 151.812880] send_common+0x129/0x1b0
[ 151.813467] _convert_lock+0x46/0x150
[ 151.814074] convert_lock+0x7b/0xc0
[ 151.814648] dlm_lock+0x3ac/0x580
[ 151.815199] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]
[ 151.816258] torture_ex_iter+0xc3/0xea [dlm_locktorture]
[ 151.817129] lock_t
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dlm/midcomms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3b0e9ac3c2447008db942d51f593841d8329e99",
"status": "affected",
"version": "489d8e559c6596eb08e16447d9830bc39afbe54e",
"versionType": "git"
},
{
"lessThan": "a2de9f9b686c71b4fa3663ae374f5f643c46a446",
"status": "affected",
"version": "489d8e559c6596eb08e16447d9830bc39afbe54e",
"versionType": "git"
},
{
"lessThan": "724b6bab0d75f1dc01fdfbf7fe8d4217a5cb90ba",
"status": "affected",
"version": "489d8e559c6596eb08e16447d9830bc39afbe54e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dlm/midcomms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.20",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: dlm: fix use after free in midcomms commit\n\nWhile working on processing dlm message in softirq context I experienced\nthe following KASAN use-after-free warning:\n\n[ 151.760477] ==================================================================\n[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347\n\n[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828\n[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014\n[ 151.768726] Call Trace:\n[ 151.769277] \u003cTASK\u003e\n[ 151.769748] dump_stack_lvl+0x5b/0x86\n[ 151.770556] print_report+0x180/0x4c8\n[ 151.771378] ? kasan_complete_mode_report_info+0x7c/0x1e0\n[ 151.772241] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.773069] kasan_report+0x93/0x1a0\n[ 151.773668] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.774514] __asan_load4+0x7e/0xa0\n[ 151.775089] dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.775890] ? create_message.isra.29.constprop.64+0x57/0xc0\n[ 151.776770] send_common+0x19f/0x1b0\n[ 151.777342] ? remove_from_waiters+0x60/0x60\n[ 151.778017] ? lock_downgrade+0x410/0x410\n[ 151.778648] ? __this_cpu_preempt_check+0x13/0x20\n[ 151.779421] ? rcu_lockdep_current_cpu_online+0x88/0xc0\n[ 151.780292] _convert_lock+0x46/0x150\n[ 151.780893] convert_lock+0x7b/0xc0\n[ 151.781459] dlm_lock+0x3ac/0x580\n[ 151.781993] ? 0xffffffffc0540000\n[ 151.782522] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.783379] ? dlm_scan_rsbs+0xa70/0xa70\n[ 151.784003] ? preempt_count_sub+0xd6/0x130\n[ 151.784661] ? is_module_address+0x47/0x70\n[ 151.785309] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.786166] ? 0xffffffffc0540000\n[ 151.786693] ? lockdep_init_map_type+0xc3/0x360\n[ 151.787414] ? 0xffffffffc0540000\n[ 151.787947] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]\n[ 151.789004] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.789858] ? 0xffffffffc0540000\n[ 151.790392] ? lock_torture_cleanup+0x20/0x20 [dlm_locktorture]\n[ 151.791347] ? delay_tsc+0x94/0xc0\n[ 151.791898] torture_ex_iter+0xc3/0xea [dlm_locktorture]\n[ 151.792735] ? torture_start+0x30/0x30 [dlm_locktorture]\n[ 151.793606] lock_torture+0x177/0x270 [dlm_locktorture]\n[ 151.794448] ? torture_dlm_lock_sync.isra.3+0x150/0x150 [dlm_locktorture]\n[ 151.795539] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 151.796476] ? do_raw_spin_lock+0x11e/0x1e0\n[ 151.797152] ? mark_held_locks+0x34/0xb0\n[ 151.797784] ? _raw_spin_unlock_irqrestore+0x30/0x70\n[ 151.798581] ? __kthread_parkme+0x79/0x110\n[ 151.799246] ? trace_preempt_on+0x2a/0xf0\n[ 151.799902] ? __kthread_parkme+0x79/0x110\n[ 151.800579] ? preempt_count_sub+0xd6/0x130\n[ 151.801271] ? __kasan_check_read+0x11/0x20\n[ 151.801963] ? __kthread_parkme+0xec/0x110\n[ 151.802630] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 151.803569] kthread+0x192/0x1d0\n[ 151.804104] ? kthread_complete_and_exit+0x30/0x30\n[ 151.804881] ret_from_fork+0x1f/0x30\n[ 151.805480] \u003c/TASK\u003e\n\n[ 151.806111] Allocated by task 1347:\n[ 151.806681] kasan_save_stack+0x26/0x50\n[ 151.807308] kasan_set_track+0x25/0x30\n[ 151.807920] kasan_save_alloc_info+0x1e/0x30\n[ 151.808609] __kasan_slab_alloc+0x63/0x80\n[ 151.809263] kmem_cache_alloc+0x1ad/0x830\n[ 151.809916] dlm_allocate_mhandle+0x17/0x20\n[ 151.810590] dlm_midcomms_get_mhandle+0x96/0x260\n[ 151.811344] _create_message+0x95/0x180\n[ 151.811994] create_message.isra.29.constprop.64+0x57/0xc0\n[ 151.812880] send_common+0x129/0x1b0\n[ 151.813467] _convert_lock+0x46/0x150\n[ 151.814074] convert_lock+0x7b/0xc0\n[ 151.814648] dlm_lock+0x3ac/0x580\n[ 151.815199] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]\n[ 151.816258] torture_ex_iter+0xc3/0xea [dlm_locktorture]\n[ 151.817129] lock_t\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:32.960Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3b0e9ac3c2447008db942d51f593841d8329e99"
},
{
"url": "https://git.kernel.org/stable/c/a2de9f9b686c71b4fa3663ae374f5f643c46a446"
},
{
"url": "https://git.kernel.org/stable/c/724b6bab0d75f1dc01fdfbf7fe8d4217a5cb90ba"
}
],
"title": "fs: dlm: fix use after free in midcomms commit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53629",
"datePublished": "2025-10-07T15:19:32.960Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:32.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53623 (GCVE-0-2023-53623)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
The si->lock must be held when deleting the si from the available list.
Otherwise, another thread can re-add the si to the available list, which
can lead to memory corruption. The only place we have found where this
happens is in the swapoff path. This case can be described as below:
core 0 core 1
swapoff
del_from_avail_list(si) waiting
try lock si->lock acquire swap_avail_lock
and re-add si into
swap_avail_head
acquire si->lock but missing si already being added again, and continuing
to clear SWP_WRITEOK, etc.
It can be easily found that a massive warning messages can be triggered
inside get_swap_pages() by some special cases, for example, we call
madvise(MADV_PAGEOUT) on blocks of touched memory concurrently, meanwhile,
run much swapon-swapoff operations (e.g. stress-ng-swap).
However, in the worst case, panic can be caused by the above scene. In
swapoff(), the memory used by si could be kept in swap_info[] after
turning off a swap. This means memory corruption will not be caused
immediately until allocated and reset for a new swap in the swapon path.
A panic message caused: (with CONFIG_PLIST_DEBUG enabled)
------------[ cut here ]------------
top: 00000000e58a3003, n: 0000000013e75cda, p: 000000008cd4451a
prev: 0000000035b1e58a, n: 000000008cd4451a, p: 000000002150ee8d
next: 000000008cd4451a, n: 000000008cd4451a, p: 000000008cd4451a
WARNING: CPU: 21 PID: 1843 at lib/plist.c:60 plist_check_prev_next_node+0x50/0x70
Modules linked in: rfkill(E) crct10dif_ce(E)...
CPU: 21 PID: 1843 Comm: stress-ng Kdump: ... 5.10.134+
Hardware name: Alibaba Cloud ECS, BIOS 0.0.0 02/06/2015
pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
pc : plist_check_prev_next_node+0x50/0x70
lr : plist_check_prev_next_node+0x50/0x70
sp : ffff0018009d3c30
x29: ffff0018009d3c40 x28: ffff800011b32a98
x27: 0000000000000000 x26: ffff001803908000
x25: ffff8000128ea088 x24: ffff800011b32a48
x23: 0000000000000028 x22: ffff001800875c00
x21: ffff800010f9e520 x20: ffff001800875c00
x19: ffff001800fdc6e0 x18: 0000000000000030
x17: 0000000000000000 x16: 0000000000000000
x15: 0736076307640766 x14: 0730073007380731
x13: 0736076307640766 x12: 0730073007380731
x11: 000000000004058d x10: 0000000085a85b76
x9 : ffff8000101436e4 x8 : ffff800011c8ce08
x7 : 0000000000000000 x6 : 0000000000000001
x5 : ffff0017df9ed338 x4 : 0000000000000001
x3 : ffff8017ce62a000 x2 : ffff0017df9ed340
x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
plist_check_prev_next_node+0x50/0x70
plist_check_head+0x80/0xf0
plist_add+0x28/0x140
add_to_avail_list+0x9c/0xf0
_enable_swap_info+0x78/0xb4
__do_sys_swapon+0x918/0xa10
__arm64_sys_swapon+0x20/0x30
el0_svc_common+0x8c/0x220
do_el0_svc+0x2c/0x90
el0_svc+0x1c/0x30
el0_sync_handler+0xa8/0xb0
el0_sync+0x148/0x180
irq event stamp: 2082270
Now, si->lock locked before calling 'del_from_avail_list()' to make sure
other thread see the si had been deleted and SWP_WRITEOK cleared together,
will not reinsert again.
This problem exists in versions after stable 5.10.y.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a2468cc9bfdff6139f59ca896671e5819ff5f94a Version: a2468cc9bfdff6139f59ca896671e5819ff5f94a Version: a2468cc9bfdff6139f59ca896671e5819ff5f94a Version: a2468cc9bfdff6139f59ca896671e5819ff5f94a Version: a2468cc9bfdff6139f59ca896671e5819ff5f94a Version: a2468cc9bfdff6139f59ca896671e5819ff5f94a Version: a2468cc9bfdff6139f59ca896671e5819ff5f94a Version: a2468cc9bfdff6139f59ca896671e5819ff5f94a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "111a79d9b92f0a679fe300ccd3119ae9741f3d54",
"status": "affected",
"version": "a2468cc9bfdff6139f59ca896671e5819ff5f94a",
"versionType": "git"
},
{
"lessThan": "a55f268abdb74ac5633b75a09fefb58458e9d2a2",
"status": "affected",
"version": "a2468cc9bfdff6139f59ca896671e5819ff5f94a",
"versionType": "git"
},
{
"lessThan": "e7bba7ddb4318d5ea939c8db747c2c2780ab66f4",
"status": "affected",
"version": "a2468cc9bfdff6139f59ca896671e5819ff5f94a",
"versionType": "git"
},
{
"lessThan": "ea8c42b3b6d95ced3a4f555f04686d00ef0bb206",
"status": "affected",
"version": "a2468cc9bfdff6139f59ca896671e5819ff5f94a",
"versionType": "git"
},
{
"lessThan": "4bdf1514b4268d29360ba9e43becdd49955bc7ae",
"status": "affected",
"version": "a2468cc9bfdff6139f59ca896671e5819ff5f94a",
"versionType": "git"
},
{
"lessThan": "85cc118ce6f1a627901b6db50c9d01f2ad78cdbf",
"status": "affected",
"version": "a2468cc9bfdff6139f59ca896671e5819ff5f94a",
"versionType": "git"
},
{
"lessThan": "b9927d3a60ca9ed35625470888629c074e687ba0",
"status": "affected",
"version": "a2468cc9bfdff6139f59ca896671e5819ff5f94a",
"versionType": "git"
},
{
"lessThan": "6fe7d6b992113719e96744d974212df3fcddc76c",
"status": "affected",
"version": "a2468cc9bfdff6139f59ca896671e5819ff5f94a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.313",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix swap_info_struct race between swapoff and get_swap_pages()\n\nThe si-\u003elock must be held when deleting the si from the available list. \nOtherwise, another thread can re-add the si to the available list, which\ncan lead to memory corruption. The only place we have found where this\nhappens is in the swapoff path. This case can be described as below:\n\ncore 0 core 1\nswapoff\n\ndel_from_avail_list(si) waiting\n\ntry lock si-\u003elock acquire swap_avail_lock\n and re-add si into\n swap_avail_head\n\nacquire si-\u003elock but missing si already being added again, and continuing\nto clear SWP_WRITEOK, etc.\n\nIt can be easily found that a massive warning messages can be triggered\ninside get_swap_pages() by some special cases, for example, we call\nmadvise(MADV_PAGEOUT) on blocks of touched memory concurrently, meanwhile,\nrun much swapon-swapoff operations (e.g. stress-ng-swap).\n\nHowever, in the worst case, panic can be caused by the above scene. In\nswapoff(), the memory used by si could be kept in swap_info[] after\nturning off a swap. This means memory corruption will not be caused\nimmediately until allocated and reset for a new swap in the swapon path. \nA panic message caused: (with CONFIG_PLIST_DEBUG enabled)\n\n------------[ cut here ]------------\ntop: 00000000e58a3003, n: 0000000013e75cda, p: 000000008cd4451a\nprev: 0000000035b1e58a, n: 000000008cd4451a, p: 000000002150ee8d\nnext: 000000008cd4451a, n: 000000008cd4451a, p: 000000008cd4451a\nWARNING: CPU: 21 PID: 1843 at lib/plist.c:60 plist_check_prev_next_node+0x50/0x70\nModules linked in: rfkill(E) crct10dif_ce(E)...\nCPU: 21 PID: 1843 Comm: stress-ng Kdump: ... 5.10.134+\nHardware name: Alibaba Cloud ECS, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)\npc : plist_check_prev_next_node+0x50/0x70\nlr : plist_check_prev_next_node+0x50/0x70\nsp : ffff0018009d3c30\nx29: ffff0018009d3c40 x28: ffff800011b32a98\nx27: 0000000000000000 x26: ffff001803908000\nx25: ffff8000128ea088 x24: ffff800011b32a48\nx23: 0000000000000028 x22: ffff001800875c00\nx21: ffff800010f9e520 x20: ffff001800875c00\nx19: ffff001800fdc6e0 x18: 0000000000000030\nx17: 0000000000000000 x16: 0000000000000000\nx15: 0736076307640766 x14: 0730073007380731\nx13: 0736076307640766 x12: 0730073007380731\nx11: 000000000004058d x10: 0000000085a85b76\nx9 : ffff8000101436e4 x8 : ffff800011c8ce08\nx7 : 0000000000000000 x6 : 0000000000000001\nx5 : ffff0017df9ed338 x4 : 0000000000000001\nx3 : ffff8017ce62a000 x2 : ffff0017df9ed340\nx1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n plist_check_prev_next_node+0x50/0x70\n plist_check_head+0x80/0xf0\n plist_add+0x28/0x140\n add_to_avail_list+0x9c/0xf0\n _enable_swap_info+0x78/0xb4\n __do_sys_swapon+0x918/0xa10\n __arm64_sys_swapon+0x20/0x30\n el0_svc_common+0x8c/0x220\n do_el0_svc+0x2c/0x90\n el0_svc+0x1c/0x30\n el0_sync_handler+0xa8/0xb0\n el0_sync+0x148/0x180\nirq event stamp: 2082270\n\nNow, si-\u003elock locked before calling \u0027del_from_avail_list()\u0027 to make sure\nother thread see the si had been deleted and SWP_WRITEOK cleared together,\nwill not reinsert again.\n\nThis problem exists in versions after stable 5.10.y."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:28.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/111a79d9b92f0a679fe300ccd3119ae9741f3d54"
},
{
"url": "https://git.kernel.org/stable/c/a55f268abdb74ac5633b75a09fefb58458e9d2a2"
},
{
"url": "https://git.kernel.org/stable/c/e7bba7ddb4318d5ea939c8db747c2c2780ab66f4"
},
{
"url": "https://git.kernel.org/stable/c/ea8c42b3b6d95ced3a4f555f04686d00ef0bb206"
},
{
"url": "https://git.kernel.org/stable/c/4bdf1514b4268d29360ba9e43becdd49955bc7ae"
},
{
"url": "https://git.kernel.org/stable/c/85cc118ce6f1a627901b6db50c9d01f2ad78cdbf"
},
{
"url": "https://git.kernel.org/stable/c/b9927d3a60ca9ed35625470888629c074e687ba0"
},
{
"url": "https://git.kernel.org/stable/c/6fe7d6b992113719e96744d974212df3fcddc76c"
}
],
"title": "mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53623",
"datePublished": "2025-10-07T15:19:28.834Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:28.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53634 (GCVE-0-2023-53634)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, arm64: Fixed a BTI error on returning to patched function
When BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump
back to the instruction next to call site to call the patched function.
For BTI-enabled kernel, the instruction next to call site is usually
PACIASP, in this case, it's safe to jump back with BLR. But when
the call site is not followed by a PACIASP or bti, a BTI exception
is triggered.
Here is a fault log:
Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI
CPU: 0 PID: 263 Comm: test_progs Tainted: GF
Hardware name: linux,dummy-virt (DT)
pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c)
pc : bpf_fentry_test1+0xc/0x30
lr : bpf_trampoline_6442573892_0+0x48/0x1000
sp : ffff80000c0c3a50
x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050
x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a
x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101
x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001
x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001
Kernel panic - not syncing: Unhandled exception
CPU: 0 PID: 263 Comm: test_progs Tainted: GF
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0xec/0x144
show_stack+0x24/0x7c
dump_stack_lvl+0x8c/0xb8
dump_stack+0x18/0x34
panic+0x1cc/0x3ec
__el0_error_handler_common+0x0/0x130
el1h_64_sync_handler+0x60/0xd0
el1h_64_sync+0x78/0x7c
bpf_fentry_test1+0xc/0x30
bpf_fentry_test1+0xc/0x30
bpf_prog_test_run_tracing+0xdc/0x2a0
__sys_bpf+0x438/0x22a0
__arm64_sys_bpf+0x30/0x54
invoke_syscall+0x78/0x110
el0_svc_common.constprop.0+0x6c/0x1d0
do_el0_svc+0x38/0xe0
el0_svc+0x30/0xd0
el0t_64_sync_handler+0x1ac/0x1b0
el0t_64_sync+0x1a0/0x1a4
Kernel Offset: disabled
CPU features: 0x0000,00034c24,f994fdab
Memory Limit: none
And the instruction next to call site of bpf_fentry_test1 is ADD,
not PACIASP:
<bpf_fentry_test1>:
bti c
nop
nop
add w0, w0, #0x1
paciasp
For BPF prog, JIT always puts a PACIASP after call site for BTI-enabled
kernel, so there is no problem. To fix it, replace BLR with RET to bypass
the branch target check.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/net/bpf_jit.h",
"arch/arm64/net/bpf_jit_comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b9c64942ada229f52fe6f1b537a50f88b3c2673",
"status": "affected",
"version": "efc9909fdce00a827a37609628223cd45bf95d0b",
"versionType": "git"
},
{
"lessThan": "eabc166919d169e105263974991f52b0351e431a",
"status": "affected",
"version": "efc9909fdce00a827a37609628223cd45bf95d0b",
"versionType": "git"
},
{
"lessThan": "738a96c4a8c36950803fdd27e7c30aca92dccefd",
"status": "affected",
"version": "efc9909fdce00a827a37609628223cd45bf95d0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/net/bpf_jit.h",
"arch/arm64/net/bpf_jit_comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fixed a BTI error on returning to patched function\n\nWhen BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump\nback to the instruction next to call site to call the patched function.\nFor BTI-enabled kernel, the instruction next to call site is usually\nPACIASP, in this case, it\u0027s safe to jump back with BLR. But when\nthe call site is not followed by a PACIASP or bti, a BTI exception\nis triggered.\n\nHere is a fault log:\n\n Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI\n CPU: 0 PID: 263 Comm: test_progs Tainted: GF\n Hardware name: linux,dummy-virt (DT)\n pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c)\n pc : bpf_fentry_test1+0xc/0x30\n lr : bpf_trampoline_6442573892_0+0x48/0x1000\n sp : ffff80000c0c3a50\n x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050\n x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a\n x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101\n x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001\n x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001\n Kernel panic - not syncing: Unhandled exception\n CPU: 0 PID: 263 Comm: test_progs Tainted: GF\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n dump_backtrace+0xec/0x144\n show_stack+0x24/0x7c\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x1cc/0x3ec\n __el0_error_handler_common+0x0/0x130\n el1h_64_sync_handler+0x60/0xd0\n el1h_64_sync+0x78/0x7c\n bpf_fentry_test1+0xc/0x30\n bpf_fentry_test1+0xc/0x30\n bpf_prog_test_run_tracing+0xdc/0x2a0\n __sys_bpf+0x438/0x22a0\n __arm64_sys_bpf+0x30/0x54\n invoke_syscall+0x78/0x110\n el0_svc_common.constprop.0+0x6c/0x1d0\n do_el0_svc+0x38/0xe0\n el0_svc+0x30/0xd0\n el0t_64_sync_handler+0x1ac/0x1b0\n el0t_64_sync+0x1a0/0x1a4\n Kernel Offset: disabled\n CPU features: 0x0000,00034c24,f994fdab\n Memory Limit: none\n\nAnd the instruction next to call site of bpf_fentry_test1 is ADD,\nnot PACIASP:\n\n\u003cbpf_fentry_test1\u003e:\n\tbti c\n\tnop\n\tnop\n\tadd w0, w0, #0x1\n\tpaciasp\n\nFor BPF prog, JIT always puts a PACIASP after call site for BTI-enabled\nkernel, so there is no problem. To fix it, replace BLR with RET to bypass\nthe branch target check."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:36.306Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b9c64942ada229f52fe6f1b537a50f88b3c2673"
},
{
"url": "https://git.kernel.org/stable/c/eabc166919d169e105263974991f52b0351e431a"
},
{
"url": "https://git.kernel.org/stable/c/738a96c4a8c36950803fdd27e7c30aca92dccefd"
}
],
"title": "bpf, arm64: Fixed a BTI error on returning to patched function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53634",
"datePublished": "2025-10-07T15:19:36.306Z",
"dateReserved": "2025-10-07T15:16:59.657Z",
"dateUpdated": "2025-10-07T15:19:36.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50534 (GCVE-0-2022-50534)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm thin: Use last transaction's pmd->root when commit failed
Recently we found a softlock up problem in dm thin pool btree lookup
code due to corrupted metadata:
Kernel panic - not syncing: softlockup: hung tasks
CPU: 7 PID: 2669225 Comm: kworker/u16:3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Workqueue: dm-thin do_worker [dm_thin_pool]
Call Trace:
<IRQ>
dump_stack+0x9c/0xd3
panic+0x35d/0x6b9
watchdog_timer_fn.cold+0x16/0x25
__run_hrtimer+0xa2/0x2d0
</IRQ>
RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]
__bufio_new+0x11f/0x4f0 [dm_bufio]
new_read+0xa3/0x1e0 [dm_bufio]
dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]
ro_step+0x63/0x100 [dm_persistent_data]
btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]
dm_btree_lookup+0x16f/0x210 [dm_persistent_data]
dm_thin_find_block+0x12c/0x210 [dm_thin_pool]
__process_bio_read_only+0xc5/0x400 [dm_thin_pool]
process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]
process_one_work+0x3c5/0x730
Following process may generate a broken btree mixed with fresh and
stale btree nodes, which could get dm thin trapped in an infinite loop
while looking up data block:
Transaction 1: pmd->root = A, A->B->C // One path in btree
pmd->root = X, X->Y->Z // Copy-up
Transaction 2: X,Z is updated on disk, Y write failed.
// Commit failed, dm thin becomes read-only.
process_bio_read_only
dm_thin_find_block
__find_block
dm_btree_lookup(pmd->root)
The pmd->root points to a broken btree, Y may contain stale node
pointing to any block, for example X, which gets dm thin trapped into
a dead loop while looking up Z.
Fix this by setting pmd->root in __open_metadata(), so that dm thin
will use the last transaction's pmd->root if commit failed.
Fetch a reproducer in [Link].
Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b35a22760aa5008d82533e59b0f0b5eb1b02d4e5",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "87d69b8824ca9b090f5a8ed47f758e8f6eecb871",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "3db757ffdd87ed8d7118b2250236a496502a660f",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "f758987ff0af3a4b5ee69e95cab6a5294e4367b0",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "94f01ecc2aa0be992865acc80ebb6701f731f955",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "4b710e8481ade7c9200e94d3018e99dc42a0a0e8",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "a63ce4eca86fd207e3db07c00fb7ccf4adf1b230",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "b91f481300e3a10eaf66b94fc39b740928762aaf",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "7991dbff6849f67e823b7cc0c15e5a90b0549b9f",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Use last transaction\u0027s pmd-\u003eroot when commit failed\n\nRecently we found a softlock up problem in dm thin pool btree lookup\ncode due to corrupted metadata:\n\n Kernel panic - not syncing: softlockup: hung tasks\n CPU: 7 PID: 2669225 Comm: kworker/u16:3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: dm-thin do_worker [dm_thin_pool]\n Call Trace:\n \u003cIRQ\u003e\n dump_stack+0x9c/0xd3\n panic+0x35d/0x6b9\n watchdog_timer_fn.cold+0x16/0x25\n __run_hrtimer+0xa2/0x2d0\n \u003c/IRQ\u003e\n RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]\n __bufio_new+0x11f/0x4f0 [dm_bufio]\n new_read+0xa3/0x1e0 [dm_bufio]\n dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]\n ro_step+0x63/0x100 [dm_persistent_data]\n btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]\n dm_btree_lookup+0x16f/0x210 [dm_persistent_data]\n dm_thin_find_block+0x12c/0x210 [dm_thin_pool]\n __process_bio_read_only+0xc5/0x400 [dm_thin_pool]\n process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]\n process_one_work+0x3c5/0x730\n\nFollowing process may generate a broken btree mixed with fresh and\nstale btree nodes, which could get dm thin trapped in an infinite loop\nwhile looking up data block:\n Transaction 1: pmd-\u003eroot = A, A-\u003eB-\u003eC // One path in btree\n pmd-\u003eroot = X, X-\u003eY-\u003eZ // Copy-up\n Transaction 2: X,Z is updated on disk, Y write failed.\n // Commit failed, dm thin becomes read-only.\n process_bio_read_only\n\t\t dm_thin_find_block\n\t\t __find_block\n\t\t dm_btree_lookup(pmd-\u003eroot)\nThe pmd-\u003eroot points to a broken btree, Y may contain stale node\npointing to any block, for example X, which gets dm thin trapped into\na dead loop while looking up Z.\n\nFix this by setting pmd-\u003eroot in __open_metadata(), so that dm thin\nwill use the last transaction\u0027s pmd-\u003eroot if commit failed.\n\nFetch a reproducer in [Link].\n\nLinke: https://bugzilla.kernel.org/show_bug.cgi?id=216790"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:23.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b35a22760aa5008d82533e59b0f0b5eb1b02d4e5"
},
{
"url": "https://git.kernel.org/stable/c/87d69b8824ca9b090f5a8ed47f758e8f6eecb871"
},
{
"url": "https://git.kernel.org/stable/c/3db757ffdd87ed8d7118b2250236a496502a660f"
},
{
"url": "https://git.kernel.org/stable/c/f758987ff0af3a4b5ee69e95cab6a5294e4367b0"
},
{
"url": "https://git.kernel.org/stable/c/94f01ecc2aa0be992865acc80ebb6701f731f955"
},
{
"url": "https://git.kernel.org/stable/c/4b710e8481ade7c9200e94d3018e99dc42a0a0e8"
},
{
"url": "https://git.kernel.org/stable/c/a63ce4eca86fd207e3db07c00fb7ccf4adf1b230"
},
{
"url": "https://git.kernel.org/stable/c/b91f481300e3a10eaf66b94fc39b740928762aaf"
},
{
"url": "https://git.kernel.org/stable/c/7991dbff6849f67e823b7cc0c15e5a90b0549b9f"
}
],
"title": "dm thin: Use last transaction\u0027s pmd-\u003eroot when commit failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50534",
"datePublished": "2025-10-07T15:19:23.958Z",
"dateReserved": "2025-10-07T15:15:38.665Z",
"dateUpdated": "2025-10-07T15:19:23.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50530 (GCVE-0-2022-50530)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()
Our syzkaller report a null pointer dereference, root cause is
following:
__blk_mq_alloc_map_and_rqs
set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs
blk_mq_alloc_map_and_rqs
blk_mq_alloc_rqs
// failed due to oom
alloc_pages_node
// set->tags[hctx_idx] is still NULL
blk_mq_free_rqs
drv_tags = set->tags[hctx_idx];
// null pointer dereference is triggered
blk_mq_clear_rq_mapping(drv_tags, ...)
This is because commit 63064be150e4 ("blk-mq:
Add blk_mq_alloc_map_and_rqs()") merged the two steps:
1) set->tags[hctx_idx] = blk_mq_alloc_rq_map()
2) blk_mq_alloc_rqs(..., set->tags[hctx_idx])
into one step:
set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs()
Since tags is not initialized yet in this case, fix the problem by
checking if tags is NULL pointer in blk_mq_clear_rq_mapping().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a440e6d04431e774dc084abe88c106e2a474c1a",
"status": "affected",
"version": "63064be150e4b1ba1e4af594ef5aa81adf21a52d",
"versionType": "git"
},
{
"lessThan": "76dd298094f484c6250ebd076fa53287477b2328",
"status": "affected",
"version": "63064be150e4b1ba1e4af594ef5aa81adf21a52d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()\n\nOur syzkaller report a null pointer dereference, root cause is\nfollowing:\n\n__blk_mq_alloc_map_and_rqs\n set-\u003etags[hctx_idx] = blk_mq_alloc_map_and_rqs\n blk_mq_alloc_map_and_rqs\n blk_mq_alloc_rqs\n // failed due to oom\n alloc_pages_node\n // set-\u003etags[hctx_idx] is still NULL\n blk_mq_free_rqs\n drv_tags = set-\u003etags[hctx_idx];\n // null pointer dereference is triggered\n blk_mq_clear_rq_mapping(drv_tags, ...)\n\nThis is because commit 63064be150e4 (\"blk-mq:\nAdd blk_mq_alloc_map_and_rqs()\") merged the two steps:\n\n1) set-\u003etags[hctx_idx] = blk_mq_alloc_rq_map()\n2) blk_mq_alloc_rqs(..., set-\u003etags[hctx_idx])\n\ninto one step:\n\nset-\u003etags[hctx_idx] = blk_mq_alloc_map_and_rqs()\n\nSince tags is not initialized yet in this case, fix the problem by\nchecking if tags is NULL pointer in blk_mq_clear_rq_mapping()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:21.259Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a440e6d04431e774dc084abe88c106e2a474c1a"
},
{
"url": "https://git.kernel.org/stable/c/76dd298094f484c6250ebd076fa53287477b2328"
}
],
"title": "blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50530",
"datePublished": "2025-10-07T15:19:21.259Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:21.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53652 (GCVE-0-2023-53652)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa: Add features attr to vdpa_nl_policy for nlattr length check
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa features attr to avoid
such bugs.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "44b508cc96889e61799cc0fc6c00766a54f3ab5a",
"status": "affected",
"version": "90fea5a800c3dd80fb8ad9a02929bcef5fde42b8",
"versionType": "git"
},
{
"lessThan": "645d17e06c502e71b880b2b854930e5a64014640",
"status": "affected",
"version": "90fea5a800c3dd80fb8ad9a02929bcef5fde42b8",
"versionType": "git"
},
{
"lessThan": "79c8651587504ba263d2fd67fd4406240fb21f69",
"status": "affected",
"version": "90fea5a800c3dd80fb8ad9a02929bcef5fde42b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add features attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info-\u003eattrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa features attr to avoid\nsuch bugs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:48.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/44b508cc96889e61799cc0fc6c00766a54f3ab5a"
},
{
"url": "https://git.kernel.org/stable/c/645d17e06c502e71b880b2b854930e5a64014640"
},
{
"url": "https://git.kernel.org/stable/c/79c8651587504ba263d2fd67fd4406240fb21f69"
}
],
"title": "vdpa: Add features attr to vdpa_nl_policy for nlattr length check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53652",
"datePublished": "2025-10-07T15:19:48.628Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:19:48.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53669 (GCVE-0-2023-53669)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix skb_copy_ubufs() vs BIG TCP
David Ahern reported crashes in skb_copy_ubufs() caused by TCP tx zerocopy
using hugepages, and skb length bigger than ~68 KB.
skb_copy_ubufs() assumed it could copy all payload using up to
MAX_SKB_FRAGS order-0 pages.
This assumption broke when BIG TCP was able to put up to 512 KB per skb.
We did not hit this bug at Google because we use CONFIG_MAX_SKB_FRAGS=45
and limit gso_max_size to 180000.
A solution is to use higher order pages if needed.
v2: add missing __GFP_COMP, or we leak memory.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fa93e39fbb0566019c388a8038a4d58552e0910",
"status": "affected",
"version": "7c4e983c4f3cf94fcd879730c6caa877e0768a4d",
"versionType": "git"
},
{
"lessThan": "3c77a377877acbaf03cd7caa21d3644a5dd16301",
"status": "affected",
"version": "7c4e983c4f3cf94fcd879730c6caa877e0768a4d",
"versionType": "git"
},
{
"lessThan": "9cd62f0ba465cf647c7d8c2ca7b0d99ea0c1328f",
"status": "affected",
"version": "7c4e983c4f3cf94fcd879730c6caa877e0768a4d",
"versionType": "git"
},
{
"lessThan": "7e692df3933628d974acb9f5b334d2b3e885e2a6",
"status": "affected",
"version": "7c4e983c4f3cf94fcd879730c6caa877e0768a4d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix skb_copy_ubufs() vs BIG TCP\n\nDavid Ahern reported crashes in skb_copy_ubufs() caused by TCP tx zerocopy\nusing hugepages, and skb length bigger than ~68 KB.\n\nskb_copy_ubufs() assumed it could copy all payload using up to\nMAX_SKB_FRAGS order-0 pages.\n\nThis assumption broke when BIG TCP was able to put up to 512 KB per skb.\n\nWe did not hit this bug at Google because we use CONFIG_MAX_SKB_FRAGS=45\nand limit gso_max_size to 180000.\n\nA solution is to use higher order pages if needed.\n\nv2: add missing __GFP_COMP, or we leak memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:26.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fa93e39fbb0566019c388a8038a4d58552e0910"
},
{
"url": "https://git.kernel.org/stable/c/3c77a377877acbaf03cd7caa21d3644a5dd16301"
},
{
"url": "https://git.kernel.org/stable/c/9cd62f0ba465cf647c7d8c2ca7b0d99ea0c1328f"
},
{
"url": "https://git.kernel.org/stable/c/7e692df3933628d974acb9f5b334d2b3e885e2a6"
}
],
"title": "tcp: fix skb_copy_ubufs() vs BIG TCP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53669",
"datePublished": "2025-10-07T15:21:26.896Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:26.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53686 (GCVE-0-2023-53686)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/handshake: fix null-ptr-deref in handshake_nl_done_doit()
We should not call trace_handshake_cmd_done_err() if socket lookup has failed.
Also we should call trace_handshake_cmd_done_err() before releasing the file,
otherwise dereferencing sock->sk can return garbage.
This also reverts 7afc6d0a107f ("net/handshake: Fix uninitialized local variable")
Unable to handle kernel paging request at virtual address dfff800000000003
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000003] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 5986 Comm: syz-executor292 Not tainted 6.5.0-rc7-syzkaller-gfe4469582053 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193
lr : handshake_nl_done_doit+0x180/0x9c8
sp : ffff800096e37180
x29: ffff800096e37200 x28: 1ffff00012dc6e34 x27: dfff800000000000
x26: ffff800096e373d0 x25: 0000000000000000 x24: 00000000ffffffa8
x23: ffff800096e373f0 x22: 1ffff00012dc6e38 x21: 0000000000000000
x20: ffff800096e371c0 x19: 0000000000000018 x18: 0000000000000000
x17: 0000000000000000 x16: ffff800080516cc4 x15: 0000000000000001
x14: 1fffe0001b14aa3b x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000003
x8 : 0000000000000003 x7 : ffff800080afe47c x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080a88078
x2 : 0000000000000001 x1 : 00000000ffffffa8 x0 : 0000000000000000
Call trace:
handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193
genl_family_rcv_msg_doit net/netlink/genetlink.c:970 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1050 [inline]
genl_rcv_msg+0x96c/0xc50 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2549
genl_rcv+0x38/0x50 net/netlink/genetlink.c:1078
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1914
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg net/socket.c:748 [inline]
____sys_sendmsg+0x56c/0x840 net/socket.c:2494
___sys_sendmsg net/socket.c:2548 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2577
__do_sys_sendmsg net/socket.c:2586 [inline]
__se_sys_sendmsg net/socket.c:2584 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2584
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Code: 12800108 b90043e8 910062b3 d343fe68 (387b6908)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/handshake/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d69f18edcca282351394c5870bec24cc99d745",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "82ba0ff7bf0483d962e592017bef659ae022d754",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/handshake/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: fix null-ptr-deref in handshake_nl_done_doit()\n\nWe should not call trace_handshake_cmd_done_err() if socket lookup has failed.\n\nAlso we should call trace_handshake_cmd_done_err() before releasing the file,\notherwise dereferencing sock-\u003esk can return garbage.\n\nThis also reverts 7afc6d0a107f (\"net/handshake: Fix uninitialized local variable\")\n\nUnable to handle kernel paging request at virtual address dfff800000000003\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nMem abort info:\nESR = 0x0000000096000005\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x05: level 1 translation fault\nData abort info:\nISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[dfff800000000003] address between user and kernel address ranges\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 5986 Comm: syz-executor292 Not tainted 6.5.0-rc7-syzkaller-gfe4469582053 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193\nlr : handshake_nl_done_doit+0x180/0x9c8\nsp : ffff800096e37180\nx29: ffff800096e37200 x28: 1ffff00012dc6e34 x27: dfff800000000000\nx26: ffff800096e373d0 x25: 0000000000000000 x24: 00000000ffffffa8\nx23: ffff800096e373f0 x22: 1ffff00012dc6e38 x21: 0000000000000000\nx20: ffff800096e371c0 x19: 0000000000000018 x18: 0000000000000000\nx17: 0000000000000000 x16: ffff800080516cc4 x15: 0000000000000001\nx14: 1fffe0001b14aa3b x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000003\nx8 : 0000000000000003 x7 : ffff800080afe47c x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080a88078\nx2 : 0000000000000001 x1 : 00000000ffffffa8 x0 : 0000000000000000\nCall trace:\nhandshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193\ngenl_family_rcv_msg_doit net/netlink/genetlink.c:970 [inline]\ngenl_family_rcv_msg net/netlink/genetlink.c:1050 [inline]\ngenl_rcv_msg+0x96c/0xc50 net/netlink/genetlink.c:1067\nnetlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2549\ngenl_rcv+0x38/0x50 net/netlink/genetlink.c:1078\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365\nnetlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1914\nsock_sendmsg_nosec net/socket.c:725 [inline]\nsock_sendmsg net/socket.c:748 [inline]\n____sys_sendmsg+0x56c/0x840 net/socket.c:2494\n___sys_sendmsg net/socket.c:2548 [inline]\n__sys_sendmsg+0x26c/0x33c net/socket.c:2577\n__do_sys_sendmsg net/socket.c:2586 [inline]\n__se_sys_sendmsg net/socket.c:2584 [inline]\n__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2584\n__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\ninvoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\nel0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\ndo_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\nel0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678\nel0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nCode: 12800108 b90043e8 910062b3 d343fe68 (387b6908)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:38.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d69f18edcca282351394c5870bec24cc99d745"
},
{
"url": "https://git.kernel.org/stable/c/82ba0ff7bf0483d962e592017bef659ae022d754"
}
],
"title": "net/handshake: fix null-ptr-deref in handshake_nl_done_doit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53686",
"datePublished": "2025-10-07T15:21:38.824Z",
"dateReserved": "2025-10-07T15:16:59.665Z",
"dateUpdated": "2025-10-07T15:21:38.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53618 (GCVE-0-2023-53618)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reject invalid reloc tree root keys with stack dump
[BUG]
Syzbot reported a crash that an ASSERT() got triggered inside
prepare_to_merge().
That ASSERT() makes sure the reloc tree is properly pointed back by its
subvolume tree.
[CAUSE]
After more debugging output, it turns out we had an invalid reloc tree:
BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
Note the above root key is (TREE_RELOC_OBJECTID, ROOT_ITEM,
QUOTA_TREE_OBJECTID), meaning it's a reloc tree for quota tree.
But reloc trees can only exist for subvolumes, as for non-subvolume
trees, we just COW the involved tree block, no need to create a reloc
tree since those tree blocks won't be shared with other trees.
Only subvolumes tree can share tree blocks with other trees (thus they
have BTRFS_ROOT_SHAREABLE flag).
Thus this new debug output proves my previous assumption that corrupted
on-disk data can trigger that ASSERT().
[FIX]
Besides the dedicated fix and the graceful exit, also let tree-checker to
check such root keys, to make sure reloc trees can only exist for subvolumes.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/tree-checker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "314135b7bae9618a317874ae195272682cf2d5d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ae93b316ca4b8b3c33798ef1d210355f2fb9318",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "84256e00eeca73c529fc6196e478cc89b8098157",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ebcd021c92b8e4b904552e4d87283032100796d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/tree-checker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject invalid reloc tree root keys with stack dump\n\n[BUG]\nSyzbot reported a crash that an ASSERT() got triggered inside\nprepare_to_merge().\n\nThat ASSERT() makes sure the reloc tree is properly pointed back by its\nsubvolume tree.\n\n[CAUSE]\nAfter more debugging output, it turns out we had an invalid reloc tree:\n\n BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17\n\nNote the above root key is (TREE_RELOC_OBJECTID, ROOT_ITEM,\nQUOTA_TREE_OBJECTID), meaning it\u0027s a reloc tree for quota tree.\n\nBut reloc trees can only exist for subvolumes, as for non-subvolume\ntrees, we just COW the involved tree block, no need to create a reloc\ntree since those tree blocks won\u0027t be shared with other trees.\n\nOnly subvolumes tree can share tree blocks with other trees (thus they\nhave BTRFS_ROOT_SHAREABLE flag).\n\nThus this new debug output proves my previous assumption that corrupted\non-disk data can trigger that ASSERT().\n\n[FIX]\nBesides the dedicated fix and the graceful exit, also let tree-checker to\ncheck such root keys, to make sure reloc trees can only exist for subvolumes."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:25.303Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/314135b7bae9618a317874ae195272682cf2d5d4"
},
{
"url": "https://git.kernel.org/stable/c/3ae93b316ca4b8b3c33798ef1d210355f2fb9318"
},
{
"url": "https://git.kernel.org/stable/c/84256e00eeca73c529fc6196e478cc89b8098157"
},
{
"url": "https://git.kernel.org/stable/c/6ebcd021c92b8e4b904552e4d87283032100796d"
}
],
"title": "btrfs: reject invalid reloc tree root keys with stack dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53618",
"datePublished": "2025-10-07T15:19:25.303Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:25.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53620 (GCVE-0-2023-53620)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: fix soft lockup in status_resync
status_resync() will calculate 'curr_resync - recovery_active' to show
user a progress bar like following:
[============>........] resync = 61.4%
'curr_resync' and 'recovery_active' is updated in md_do_sync(), and
status_resync() can read them concurrently, hence it's possible that
'curr_resync - recovery_active' can overflow to a huge number. In this
case status_resync() will be stuck in the loop to print a large amount
of '=', which will end up soft lockup.
Fix the problem by setting 'resync' to MD_RESYNC_ACTIVE in this case,
this way resync in progress will be reported to user.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4acb6c3ede88d6b7d33742a09e63cfce5e7fb69",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "23309704e90859af2662bedc44101e6d1d2ece7e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6efddf1e32e2a264694766ca485a4f5e04ee82a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix soft lockup in status_resync\n\nstatus_resync() will calculate \u0027curr_resync - recovery_active\u0027 to show\nuser a progress bar like following:\n\n[============\u003e........] resync = 61.4%\n\n\u0027curr_resync\u0027 and \u0027recovery_active\u0027 is updated in md_do_sync(), and\nstatus_resync() can read them concurrently, hence it\u0027s possible that\n\u0027curr_resync - recovery_active\u0027 can overflow to a huge number. In this\ncase status_resync() will be stuck in the loop to print a large amount\nof \u0027=\u0027, which will end up soft lockup.\n\nFix the problem by setting \u0027resync\u0027 to MD_RESYNC_ACTIVE in this case,\nthis way resync in progress will be reported to user."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:26.686Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4acb6c3ede88d6b7d33742a09e63cfce5e7fb69"
},
{
"url": "https://git.kernel.org/stable/c/23309704e90859af2662bedc44101e6d1d2ece7e"
},
{
"url": "https://git.kernel.org/stable/c/6efddf1e32e2a264694766ca485a4f5e04ee82a7"
}
],
"title": "md: fix soft lockup in status_resync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53620",
"datePublished": "2025-10-07T15:19:26.686Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:26.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53635 (GCVE-0-2023-53635)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: fix wrong ct->timeout value
(struct nf_conn)->timeout is an interval before the conntrack
confirmed. After confirmed, it becomes a timestamp.
It is observed that timeout of an unconfirmed conntrack:
- Set by calling ctnetlink_change_timeout(). As a result,
`nfct_time_stamp` was wrongly added to `ct->timeout` twice.
- Get by calling ctnetlink_dump_timeout(). As a result,
`nfct_time_stamp` was wrongly subtracted.
Call Trace:
<TASK>
dump_stack_lvl
ctnetlink_dump_timeout
__ctnetlink_glue_build
ctnetlink_glue_build
__nfqnl_enqueue_packet
nf_queue
nf_hook_slow
ip_mc_output
? __pfx_ip_finish_output
ip_send_skb
? __pfx_dst_output
udp_send_skb
udp_sendmsg
? __pfx_ip_generic_getfrag
sock_sendmsg
Separate the 2 cases in:
- Setting `ct->timeout` in __nf_ct_set_timeout().
- Getting `ct->timeout` in ctnetlink_dump_timeout().
Pablo appends:
Update ctnetlink to set up the timeout _after_ the IPS_CONFIRMED flag is
set on, otherwise conntrack creation via ctnetlink breaks.
Note that the problem described in this patch occurs since the
introduction of the nfnetlink_queue conntrack support, select a
sufficiently old Fixes: tag for -stable kernel to pick up this fix.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_core.h",
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80c5ba0078e20d926d11d0778f9a43902664ebf0",
"status": "affected",
"version": "a4b4766c3cebb4018167e06b863d8e95b7274757",
"versionType": "git"
},
{
"lessThan": "ff5e4ac8dd7be7f1faba955c5779a68571eeb0f8",
"status": "affected",
"version": "a4b4766c3cebb4018167e06b863d8e95b7274757",
"versionType": "git"
},
{
"lessThan": "f612ae1ab4793701caf39386fb3b7f4b3ef44e48",
"status": "affected",
"version": "a4b4766c3cebb4018167e06b863d8e95b7274757",
"versionType": "git"
},
{
"lessThan": "73db1b8f2bb6725b7391e85aab41fdf592b3c0c1",
"status": "affected",
"version": "a4b4766c3cebb4018167e06b863d8e95b7274757",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_core.h",
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: fix wrong ct-\u003etimeout value\n\n(struct nf_conn)-\u003etimeout is an interval before the conntrack\nconfirmed. After confirmed, it becomes a timestamp.\n\nIt is observed that timeout of an unconfirmed conntrack:\n- Set by calling ctnetlink_change_timeout(). As a result,\n `nfct_time_stamp` was wrongly added to `ct-\u003etimeout` twice.\n- Get by calling ctnetlink_dump_timeout(). As a result,\n `nfct_time_stamp` was wrongly subtracted.\n\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl\n ctnetlink_dump_timeout\n __ctnetlink_glue_build\n ctnetlink_glue_build\n __nfqnl_enqueue_packet\n nf_queue\n nf_hook_slow\n ip_mc_output\n ? __pfx_ip_finish_output\n ip_send_skb\n ? __pfx_dst_output\n udp_send_skb\n udp_sendmsg\n ? __pfx_ip_generic_getfrag\n sock_sendmsg\n\nSeparate the 2 cases in:\n- Setting `ct-\u003etimeout` in __nf_ct_set_timeout().\n- Getting `ct-\u003etimeout` in ctnetlink_dump_timeout().\n\nPablo appends:\n\nUpdate ctnetlink to set up the timeout _after_ the IPS_CONFIRMED flag is\nset on, otherwise conntrack creation via ctnetlink breaks.\n\nNote that the problem described in this patch occurs since the\nintroduction of the nfnetlink_queue conntrack support, select a\nsufficiently old Fixes: tag for -stable kernel to pick up this fix."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:36.973Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80c5ba0078e20d926d11d0778f9a43902664ebf0"
},
{
"url": "https://git.kernel.org/stable/c/ff5e4ac8dd7be7f1faba955c5779a68571eeb0f8"
},
{
"url": "https://git.kernel.org/stable/c/f612ae1ab4793701caf39386fb3b7f4b3ef44e48"
},
{
"url": "https://git.kernel.org/stable/c/73db1b8f2bb6725b7391e85aab41fdf592b3c0c1"
}
],
"title": "netfilter: conntrack: fix wrong ct-\u003etimeout value",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53635",
"datePublished": "2025-10-07T15:19:36.973Z",
"dateReserved": "2025-10-07T15:16:59.657Z",
"dateUpdated": "2025-10-07T15:19:36.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50523 (GCVE-0-2022-50523)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
If clk_register() fails, @pll->rate_table may have allocated memory by
kmemdup(), so it needs to be freed, otherwise will cause memory leak
issue, this patch fixes it.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/rockchip/clk-pll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20201c3a0a32f127fa4bdf379d6ac01c2978702d",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "86e1e080ad14c5fb6c14a5f0eb530b1b38cbc968",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "f02c1d8dc8d880cbaaf9094b4f396fe868ee23ff",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "26b94635f1c84d7f6cb482179125cb17e59c90a5",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "f4d70c139d313948e02360304a6cbcd3a4f5deb5",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "5b0a1f1247cd42ac5e0d369f8dbb58762692edee",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "dcd4ba068b194c6ef0071491aa3f12bec8c14d5b",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "f2ffb8653ea85ae39ce44347751fcc4c3e41f6bb",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "739a6a6bbdb793bd57938cb24aa5a6df89983546",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/rockchip/clk-pll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: rockchip: Fix memory leak in rockchip_clk_register_pll()\n\nIf clk_register() fails, @pll-\u003erate_table may have allocated memory by\nkmemdup(), so it needs to be freed, otherwise will cause memory leak\nissue, this patch fixes it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:16.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20201c3a0a32f127fa4bdf379d6ac01c2978702d"
},
{
"url": "https://git.kernel.org/stable/c/86e1e080ad14c5fb6c14a5f0eb530b1b38cbc968"
},
{
"url": "https://git.kernel.org/stable/c/f02c1d8dc8d880cbaaf9094b4f396fe868ee23ff"
},
{
"url": "https://git.kernel.org/stable/c/26b94635f1c84d7f6cb482179125cb17e59c90a5"
},
{
"url": "https://git.kernel.org/stable/c/f4d70c139d313948e02360304a6cbcd3a4f5deb5"
},
{
"url": "https://git.kernel.org/stable/c/5b0a1f1247cd42ac5e0d369f8dbb58762692edee"
},
{
"url": "https://git.kernel.org/stable/c/dcd4ba068b194c6ef0071491aa3f12bec8c14d5b"
},
{
"url": "https://git.kernel.org/stable/c/f2ffb8653ea85ae39ce44347751fcc4c3e41f6bb"
},
{
"url": "https://git.kernel.org/stable/c/739a6a6bbdb793bd57938cb24aa5a6df89983546"
}
],
"title": "clk: rockchip: Fix memory leak in rockchip_clk_register_pll()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50523",
"datePublished": "2025-10-07T15:19:16.595Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:16.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53643 (GCVE-0-2023-53643)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: don't access released socket during error recovery
While the error recovery work is temporarily failing reconnect attempts,
running the 'nvme list' command causes a kernel NULL pointer dereference
by calling getsockname() with a released socket.
During error recovery work, the nvme tcp socket is released and a new one
created, so it is not safe to access the socket without proper check.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fe2d9e54165dadaa0d0cc3355c0be9c3e129fa0d",
"status": "affected",
"version": "02c57a82c0081141abc19150beab48ef47f97f18",
"versionType": "git"
},
{
"lessThan": "d82f762db4776fa11de88018f0f5de2d5db72a72",
"status": "affected",
"version": "02c57a82c0081141abc19150beab48ef47f97f18",
"versionType": "git"
},
{
"lessThan": "76d54bf20cdcc1ed7569a89885e09636e9a8d71d",
"status": "affected",
"version": "02c57a82c0081141abc19150beab48ef47f97f18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: don\u0027t access released socket during error recovery\n\nWhile the error recovery work is temporarily failing reconnect attempts,\nrunning the \u0027nvme list\u0027 command causes a kernel NULL pointer dereference\nby calling getsockname() with a released socket.\n\nDuring error recovery work, the nvme tcp socket is released and a new one\ncreated, so it is not safe to access the socket without proper check."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:42.374Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fe2d9e54165dadaa0d0cc3355c0be9c3e129fa0d"
},
{
"url": "https://git.kernel.org/stable/c/d82f762db4776fa11de88018f0f5de2d5db72a72"
},
{
"url": "https://git.kernel.org/stable/c/76d54bf20cdcc1ed7569a89885e09636e9a8d71d"
}
],
"title": "nvme-tcp: don\u0027t access released socket during error recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53643",
"datePublished": "2025-10-07T15:19:42.374Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:42.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53677 (GCVE-0-2023-53677)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix memory leaks in i915 selftests
This patch fixes memory leaks on error escapes in function fake_get_pages
(cherry picked from commit 8bfbdadce85c4c51689da10f39c805a7106d4567)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/selftests/i915_gem_gtt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "596d7308e189a3230bf33d667b64acc73846c2d0",
"status": "affected",
"version": "c3bfba9a222550406082c92bbabc9c8b1355d8b8",
"versionType": "git"
},
{
"lessThan": "803033c148f754f32da1b93926c49c22731ec485",
"status": "affected",
"version": "c3bfba9a222550406082c92bbabc9c8b1355d8b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/selftests/i915_gem_gtt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix memory leaks in i915 selftests\n\nThis patch fixes memory leaks on error escapes in function fake_get_pages\n\n(cherry picked from commit 8bfbdadce85c4c51689da10f39c805a7106d4567)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:32.551Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/596d7308e189a3230bf33d667b64acc73846c2d0"
},
{
"url": "https://git.kernel.org/stable/c/803033c148f754f32da1b93926c49c22731ec485"
}
],
"title": "drm/i915: Fix memory leaks in i915 selftests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53677",
"datePublished": "2025-10-07T15:21:32.551Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:32.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53675 (GCVE-0-2023-53675)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
Sanitize possible desc_ptr out-of-bounds accesses in
ses_enclosure_data_process().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72021ae61a2bc6ca73cd593e255a10ed5f5dc5e7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cffe09ca0555e235a42d6fa065e463c4b3d5b657",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79ec5dd5fb07ecaea2f978c2d7a9f2f3526e4d19",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c315560e3ef77c1d822249f1743e647dc9c9912a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "584892fd29a41ef424a148118a3103b16b94fb8c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "414418abc19fa4ccf730d273061a426c07a061d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b8cae410472653a59e15af62c57c49b8e0a1201",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "801ab13d50cf3d26170ee073ea8bb4eececb76ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix possible desc_ptr out-of-bounds accesses\n\nSanitize possible desc_ptr out-of-bounds accesses in\nses_enclosure_data_process()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:31.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72021ae61a2bc6ca73cd593e255a10ed5f5dc5e7"
},
{
"url": "https://git.kernel.org/stable/c/cffe09ca0555e235a42d6fa065e463c4b3d5b657"
},
{
"url": "https://git.kernel.org/stable/c/79ec5dd5fb07ecaea2f978c2d7a9f2f3526e4d19"
},
{
"url": "https://git.kernel.org/stable/c/c315560e3ef77c1d822249f1743e647dc9c9912a"
},
{
"url": "https://git.kernel.org/stable/c/584892fd29a41ef424a148118a3103b16b94fb8c"
},
{
"url": "https://git.kernel.org/stable/c/414418abc19fa4ccf730d273061a426c07a061d6"
},
{
"url": "https://git.kernel.org/stable/c/4b8cae410472653a59e15af62c57c49b8e0a1201"
},
{
"url": "https://git.kernel.org/stable/c/801ab13d50cf3d26170ee073ea8bb4eececb76ab"
}
],
"title": "scsi: ses: Fix possible desc_ptr out-of-bounds accesses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53675",
"datePublished": "2025-10-07T15:21:31.018Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:31.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50550 (GCVE-0-2022-50550)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-iolatency: Fix memory leak on add_disk() failures
When a gendisk is successfully initialized but add_disk() fails such as when
a loop device has invalid number of minor device numbers specified,
blkcg_init_disk() is called during init and then blkcg_exit_disk() during
error handling. Unfortunately, iolatency gets initialized in the former but
doesn't get cleaned up in the latter.
This is because, in non-error cases, the cleanup is performed by
del_gendisk() calling rq_qos_exit(), the assumption being that rq_qos
policies, iolatency being one of them, can only be activated once the disk
is fully registered and visible. That assumption is true for wbt and iocost,
but not so for iolatency as it gets initialized before add_disk() is called.
It is desirable to lazy-init rq_qos policies because they are optional
features and add to hot path overhead once initialized - each IO has to walk
all the registered rq_qos policies. So, we want to switch iolatency to lazy
init too. However, that's a bigger change. As a fix for the immediate
problem, let's just add an extra call to rq_qos_exit() in blkcg_exit_disk().
This is safe because duplicate calls to rq_qos_exit() become noop's.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a126e1db5553ce4498290df019866952f858954",
"status": "affected",
"version": "d70675121546c35feaceebf7ed9caed8716640f3",
"versionType": "git"
},
{
"lessThan": "215f9437dda09531bcb80605298a24219f01cec5",
"status": "affected",
"version": "d70675121546c35feaceebf7ed9caed8716640f3",
"versionType": "git"
},
{
"lessThan": "813e693023ba10da9e75067780f8378465bf27cc",
"status": "affected",
"version": "d70675121546c35feaceebf7ed9caed8716640f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iolatency: Fix memory leak on add_disk() failures\n\nWhen a gendisk is successfully initialized but add_disk() fails such as when\na loop device has invalid number of minor device numbers specified,\nblkcg_init_disk() is called during init and then blkcg_exit_disk() during\nerror handling. Unfortunately, iolatency gets initialized in the former but\ndoesn\u0027t get cleaned up in the latter.\n\nThis is because, in non-error cases, the cleanup is performed by\ndel_gendisk() calling rq_qos_exit(), the assumption being that rq_qos\npolicies, iolatency being one of them, can only be activated once the disk\nis fully registered and visible. That assumption is true for wbt and iocost,\nbut not so for iolatency as it gets initialized before add_disk() is called.\n\nIt is desirable to lazy-init rq_qos policies because they are optional\nfeatures and add to hot path overhead once initialized - each IO has to walk\nall the registered rq_qos policies. So, we want to switch iolatency to lazy\ninit too. However, that\u0027s a bigger change. As a fix for the immediate\nproblem, let\u0027s just add an extra call to rq_qos_exit() in blkcg_exit_disk().\nThis is safe because duplicate calls to rq_qos_exit() become noop\u0027s."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:12.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a126e1db5553ce4498290df019866952f858954"
},
{
"url": "https://git.kernel.org/stable/c/215f9437dda09531bcb80605298a24219f01cec5"
},
{
"url": "https://git.kernel.org/stable/c/813e693023ba10da9e75067780f8378465bf27cc"
}
],
"title": "blk-iolatency: Fix memory leak on add_disk() failures",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50550",
"datePublished": "2025-10-07T15:21:12.689Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-10-07T15:21:12.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53655 (GCVE-0-2023-53655)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed
Registering a kprobe on __rcu_irq_enter_check_tick() can cause kernel
stack overflow as shown below. This issue can be reproduced by enabling
CONFIG_NO_HZ_FULL and booting the kernel with argument "nohz_full=",
and then giving the following commands at the shell prompt:
# cd /sys/kernel/tracing/
# echo 'p:mp1 __rcu_irq_enter_check_tick' >> kprobe_events
# echo 1 > events/kprobes/enable
This commit therefore adds __rcu_irq_enter_check_tick() to the kprobes
blacklist using NOKPROBE_SYMBOL().
Insufficient stack space to handle exception!
ESR: 0x00000000f2000004 -- BRK (AArch64)
FAR: 0x0000ffffccf3e510
Task stack: [0xffff80000ad30000..0xffff80000ad38000]
IRQ stack: [0xffff800008050000..0xffff800008058000]
Overflow stack: [0xffff089c36f9f310..0xffff089c36fa0310]
CPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19
Hardware name: linux,dummy-virt (DT)
pstate: 400003c5 (nZcv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __rcu_irq_enter_check_tick+0x0/0x1b8
lr : ct_nmi_enter+0x11c/0x138
sp : ffff80000ad30080
x29: ffff80000ad30080 x28: ffff089c82e20000 x27: 0000000000000000
x26: 0000000000000000 x25: ffff089c02a8d100 x24: 0000000000000000
x23: 00000000400003c5 x22: 0000ffffccf3e510 x21: ffff089c36fae148
x20: ffff80000ad30120 x19: ffffa8da8fcce148 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: ffffa8da8e44ea6c
x14: ffffa8da8e44e968 x13: ffffa8da8e03136c x12: 1fffe113804d6809
x11: ffff6113804d6809 x10: 0000000000000a60 x9 : dfff800000000000
x8 : ffff089c026b404f x7 : 00009eec7fb297f7 x6 : 0000000000000001
x5 : ffff80000ad30120 x4 : dfff800000000000 x3 : ffffa8da8e3016f4
x2 : 0000000000000003 x1 : 0000000000000000 x0 : 0000000000000000
Kernel panic - not syncing: kernel stack overflow
CPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0xf8/0x108
show_stack+0x20/0x30
dump_stack_lvl+0x68/0x84
dump_stack+0x1c/0x38
panic+0x214/0x404
add_taint+0x0/0xf8
panic_bad_stack+0x144/0x160
handle_bad_stack+0x38/0x58
__bad_stack+0x78/0x7c
__rcu_irq_enter_check_tick+0x0/0x1b8
arm64_enter_el1_dbg.isra.0+0x14/0x20
el1_dbg+0x2c/0x90
el1h_64_sync_handler+0xcc/0xe8
el1h_64_sync+0x64/0x68
__rcu_irq_enter_check_tick+0x0/0x1b8
arm64_enter_el1_dbg.isra.0+0x14/0x20
el1_dbg+0x2c/0x90
el1h_64_sync_handler+0xcc/0xe8
el1h_64_sync+0x64/0x68
__rcu_irq_enter_check_tick+0x0/0x1b8
arm64_enter_el1_dbg.isra.0+0x14/0x20
el1_dbg+0x2c/0x90
el1h_64_sync_handler+0xcc/0xe8
el1h_64_sync+0x64/0x68
__rcu_irq_enter_check_tick+0x0/0x1b8
[...]
el1_dbg+0x2c/0x90
el1h_64_sync_handler+0xcc/0xe8
el1h_64_sync+0x64/0x68
__rcu_irq_enter_check_tick+0x0/0x1b8
arm64_enter_el1_dbg.isra.0+0x14/0x20
el1_dbg+0x2c/0x90
el1h_64_sync_handler+0xcc/0xe8
el1h_64_sync+0x64/0x68
__rcu_irq_enter_check_tick+0x0/0x1b8
arm64_enter_el1_dbg.isra.0+0x14/0x20
el1_dbg+0x2c/0x90
el1h_64_sync_handler+0xcc/0xe8
el1h_64_sync+0x64/0x68
__rcu_irq_enter_check_tick+0x0/0x1b8
el1_interrupt+0x28/0x60
el1h_64_irq_handler+0x18/0x28
el1h_64_irq+0x64/0x68
__ftrace_set_clr_event_nolock+0x98/0x198
__ftrace_set_clr_event+0x58/0x80
system_enable_write+0x144/0x178
vfs_write+0x174/0x738
ksys_write+0xd0/0x188
__arm64_sys_write+0x4c/0x60
invoke_syscall+0x64/0x180
el0_svc_common.constprop.0+0x84/0x160
do_el0_svc+0x48/0xe8
el0_svc+0x34/0xd0
el0t_64_sync_handler+0xb8/0xc0
el0t_64_sync+0x190/0x194
SMP: stopping secondary CPUs
Kernel Offset: 0x28da86000000 from 0xffff800008000000
PHYS_OFFSET: 0xfffff76600000000
CPU features: 0x00000,01a00100,0000421b
Memory Limit: none
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1 Version: aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1 Version: aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1 Version: aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1 Version: aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1 Version: aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb18bc5a8678f431c500e6da1b8b5f34478d5bc1",
"status": "affected",
"version": "aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1",
"versionType": "git"
},
{
"lessThan": "4c3d1a6720aefb02403ddfebe85db521d3af2c3b",
"status": "affected",
"version": "aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1",
"versionType": "git"
},
{
"lessThan": "c8a3341b339285495cf7c8d061d659465f2311e0",
"status": "affected",
"version": "aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1",
"versionType": "git"
},
{
"lessThan": "93b6295f677d96b73cfcb703532f6c7369a60d96",
"status": "affected",
"version": "aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1",
"versionType": "git"
},
{
"lessThan": "7b5a97333e920b69356e097f185bdc51d61e66ee",
"status": "affected",
"version": "aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1",
"versionType": "git"
},
{
"lessThan": "7a29fb4a4771124bc61de397dbfc1554dbbcc19c",
"status": "affected",
"version": "aaf2bc50df1f4bfc6857fc601fc7b21d5a18c6a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed\n\nRegistering a kprobe on __rcu_irq_enter_check_tick() can cause kernel\nstack overflow as shown below. This issue can be reproduced by enabling\nCONFIG_NO_HZ_FULL and booting the kernel with argument \"nohz_full=\",\nand then giving the following commands at the shell prompt:\n\n # cd /sys/kernel/tracing/\n # echo \u0027p:mp1 __rcu_irq_enter_check_tick\u0027 \u003e\u003e kprobe_events\n # echo 1 \u003e events/kprobes/enable\n\nThis commit therefore adds __rcu_irq_enter_check_tick() to the kprobes\nblacklist using NOKPROBE_SYMBOL().\n\nInsufficient stack space to handle exception!\nESR: 0x00000000f2000004 -- BRK (AArch64)\nFAR: 0x0000ffffccf3e510\nTask stack: [0xffff80000ad30000..0xffff80000ad38000]\nIRQ stack: [0xffff800008050000..0xffff800008058000]\nOverflow stack: [0xffff089c36f9f310..0xffff089c36fa0310]\nCPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19\nHardware name: linux,dummy-virt (DT)\npstate: 400003c5 (nZcv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __rcu_irq_enter_check_tick+0x0/0x1b8\nlr : ct_nmi_enter+0x11c/0x138\nsp : ffff80000ad30080\nx29: ffff80000ad30080 x28: ffff089c82e20000 x27: 0000000000000000\nx26: 0000000000000000 x25: ffff089c02a8d100 x24: 0000000000000000\nx23: 00000000400003c5 x22: 0000ffffccf3e510 x21: ffff089c36fae148\nx20: ffff80000ad30120 x19: ffffa8da8fcce148 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffffa8da8e44ea6c\nx14: ffffa8da8e44e968 x13: ffffa8da8e03136c x12: 1fffe113804d6809\nx11: ffff6113804d6809 x10: 0000000000000a60 x9 : dfff800000000000\nx8 : ffff089c026b404f x7 : 00009eec7fb297f7 x6 : 0000000000000001\nx5 : ffff80000ad30120 x4 : dfff800000000000 x3 : ffffa8da8e3016f4\nx2 : 0000000000000003 x1 : 0000000000000000 x0 : 0000000000000000\nKernel panic - not syncing: kernel stack overflow\nCPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0xf8/0x108\n show_stack+0x20/0x30\n dump_stack_lvl+0x68/0x84\n dump_stack+0x1c/0x38\n panic+0x214/0x404\n add_taint+0x0/0xf8\n panic_bad_stack+0x144/0x160\n handle_bad_stack+0x38/0x58\n __bad_stack+0x78/0x7c\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n [...]\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n el1_interrupt+0x28/0x60\n el1h_64_irq_handler+0x18/0x28\n el1h_64_irq+0x64/0x68\n __ftrace_set_clr_event_nolock+0x98/0x198\n __ftrace_set_clr_event+0x58/0x80\n system_enable_write+0x144/0x178\n vfs_write+0x174/0x738\n ksys_write+0xd0/0x188\n __arm64_sys_write+0x4c/0x60\n invoke_syscall+0x64/0x180\n el0_svc_common.constprop.0+0x84/0x160\n do_el0_svc+0x48/0xe8\n el0_svc+0x34/0xd0\n el0t_64_sync_handler+0xb8/0xc0\n el0t_64_sync+0x190/0x194\nSMP: stopping secondary CPUs\nKernel Offset: 0x28da86000000 from 0xffff800008000000\nPHYS_OFFSET: 0xfffff76600000000\nCPU features: 0x00000,01a00100,0000421b\nMemory Limit: none"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:16.889Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb18bc5a8678f431c500e6da1b8b5f34478d5bc1"
},
{
"url": "https://git.kernel.org/stable/c/4c3d1a6720aefb02403ddfebe85db521d3af2c3b"
},
{
"url": "https://git.kernel.org/stable/c/c8a3341b339285495cf7c8d061d659465f2311e0"
},
{
"url": "https://git.kernel.org/stable/c/93b6295f677d96b73cfcb703532f6c7369a60d96"
},
{
"url": "https://git.kernel.org/stable/c/7b5a97333e920b69356e097f185bdc51d61e66ee"
},
{
"url": "https://git.kernel.org/stable/c/7a29fb4a4771124bc61de397dbfc1554dbbcc19c"
}
],
"title": "rcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53655",
"datePublished": "2025-10-07T15:21:16.889Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:21:16.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53624 (GCVE-0-2023-53624)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_fq: fix integer overflow of "credit"
if sch_fq is configured with "initial quantum" having values greater than
INT_MAX, the first assignment of "credit" does signed integer overflow to
a very negative value.
In this situation, the syzkaller script provided by Cristoph triggers the
CPU soft-lockup warning even with few sockets. It's not an infinite loop,
but "credit" wasn't probably meant to be minus 2Gb for each new flow.
Capping "initial quantum" to INT_MAX proved to fix the issue.
v2: validation of "initial quantum" is done in fq_policy, instead of open
coding in fq_change() _ suggested by Jakub Kicinski
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: afe4fd062416b158a8a8538b23adc1930a9b88dc Version: afe4fd062416b158a8a8538b23adc1930a9b88dc Version: afe4fd062416b158a8a8538b23adc1930a9b88dc Version: afe4fd062416b158a8a8538b23adc1930a9b88dc Version: afe4fd062416b158a8a8538b23adc1930a9b88dc Version: afe4fd062416b158a8a8538b23adc1930a9b88dc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_fq.c",
"tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq.json"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b8a05e3801661a0438fcd0cdef181030d966a5a",
"status": "affected",
"version": "afe4fd062416b158a8a8538b23adc1930a9b88dc",
"versionType": "git"
},
{
"lessThan": "d0b43125ec892aeb1b03e5df5aab595097da225a",
"status": "affected",
"version": "afe4fd062416b158a8a8538b23adc1930a9b88dc",
"versionType": "git"
},
{
"lessThan": "4fbefeab88c6e79753a25099d455d3d59d2946b4",
"status": "affected",
"version": "afe4fd062416b158a8a8538b23adc1930a9b88dc",
"versionType": "git"
},
{
"lessThan": "85f24cb2f10b2b0f2882e5786a09b4790bb3a0ad",
"status": "affected",
"version": "afe4fd062416b158a8a8538b23adc1930a9b88dc",
"versionType": "git"
},
{
"lessThan": "2322462d6f9ad4874f4e3c63df3b5cc00cb1acbd",
"status": "affected",
"version": "afe4fd062416b158a8a8538b23adc1930a9b88dc",
"versionType": "git"
},
{
"lessThan": "7041101ff6c3073fd8f2e99920f535b111c929cb",
"status": "affected",
"version": "afe4fd062416b158a8a8538b23adc1930a9b88dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_fq.c",
"tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq.json"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_fq: fix integer overflow of \"credit\"\n\nif sch_fq is configured with \"initial quantum\" having values greater than\nINT_MAX, the first assignment of \"credit\" does signed integer overflow to\na very negative value.\nIn this situation, the syzkaller script provided by Cristoph triggers the\nCPU soft-lockup warning even with few sockets. It\u0027s not an infinite loop,\nbut \"credit\" wasn\u0027t probably meant to be minus 2Gb for each new flow.\nCapping \"initial quantum\" to INT_MAX proved to fix the issue.\n\nv2: validation of \"initial quantum\" is done in fq_policy, instead of open\n coding in fq_change() _ suggested by Jakub Kicinski"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:29.545Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b8a05e3801661a0438fcd0cdef181030d966a5a"
},
{
"url": "https://git.kernel.org/stable/c/d0b43125ec892aeb1b03e5df5aab595097da225a"
},
{
"url": "https://git.kernel.org/stable/c/4fbefeab88c6e79753a25099d455d3d59d2946b4"
},
{
"url": "https://git.kernel.org/stable/c/85f24cb2f10b2b0f2882e5786a09b4790bb3a0ad"
},
{
"url": "https://git.kernel.org/stable/c/2322462d6f9ad4874f4e3c63df3b5cc00cb1acbd"
},
{
"url": "https://git.kernel.org/stable/c/7041101ff6c3073fd8f2e99920f535b111c929cb"
}
],
"title": "net/sched: sch_fq: fix integer overflow of \"credit\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53624",
"datePublished": "2025-10-07T15:19:29.545Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:29.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53617 (GCVE-0-2023-53617)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: aspeed: socinfo: Add kfree for kstrdup
Add kfree() in the later error handling in order to avoid memory leak.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/aspeed/aspeed-socinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfb9676ed25be25ca7cd198d0f0e093b76b7bc7f",
"status": "affected",
"version": "e0218dca5787c851b403fcbc33cdfec795446fca",
"versionType": "git"
},
{
"lessThan": "b662856b71343d9e731c1cd4bbe54758c7791abb",
"status": "affected",
"version": "e0218dca5787c851b403fcbc33cdfec795446fca",
"versionType": "git"
},
{
"lessThan": "d9a5ad4477d2a11e9b03f00c52694451e9332228",
"status": "affected",
"version": "e0218dca5787c851b403fcbc33cdfec795446fca",
"versionType": "git"
},
{
"lessThan": "6e6d847a8ce18ab2fbec4f579f682486a82d2c6b",
"status": "affected",
"version": "e0218dca5787c851b403fcbc33cdfec795446fca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/aspeed/aspeed-socinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: socinfo: Add kfree for kstrdup\n\nAdd kfree() in the later error handling in order to avoid memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:24.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfb9676ed25be25ca7cd198d0f0e093b76b7bc7f"
},
{
"url": "https://git.kernel.org/stable/c/b662856b71343d9e731c1cd4bbe54758c7791abb"
},
{
"url": "https://git.kernel.org/stable/c/d9a5ad4477d2a11e9b03f00c52694451e9332228"
},
{
"url": "https://git.kernel.org/stable/c/6e6d847a8ce18ab2fbec4f579f682486a82d2c6b"
}
],
"title": "soc: aspeed: socinfo: Add kfree for kstrdup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53617",
"datePublished": "2025-10-07T15:19:24.618Z",
"dateReserved": "2025-10-04T15:40:38.481Z",
"dateUpdated": "2025-10-07T15:19:24.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53664 (GCVE-0-2023-53664)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
OPP: Fix potential null ptr dereference in dev_pm_opp_get_required_pstate()
"opp" pointer is dereferenced before the IS_ERR_OR_NULL() check. Fix it by
removing the dereference to cache opp_table and dereference it directly
where opp_table is used.
This fixes the following smatch warning:
drivers/opp/core.c:232 dev_pm_opp_get_required_pstate() warn: variable
dereferenced before IS_ERR check 'opp' (see line 230)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/opp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25130b27e0352acb83e91c467853eb9afad3b644",
"status": "affected",
"version": "84cb7ff35fcf7c0b552f553a3f2db9c3e92fc707",
"versionType": "git"
},
{
"lessThan": "7ddd8deb1c3c0363a7e14fafb5df26e2089a69a5",
"status": "affected",
"version": "84cb7ff35fcf7c0b552f553a3f2db9c3e92fc707",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/opp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nOPP: Fix potential null ptr dereference in dev_pm_opp_get_required_pstate()\n\n\"opp\" pointer is dereferenced before the IS_ERR_OR_NULL() check. Fix it by\nremoving the dereference to cache opp_table and dereference it directly\nwhere opp_table is used.\n\nThis fixes the following smatch warning:\n\ndrivers/opp/core.c:232 dev_pm_opp_get_required_pstate() warn: variable\ndereferenced before IS_ERR check \u0027opp\u0027 (see line 230)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:23.127Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25130b27e0352acb83e91c467853eb9afad3b644"
},
{
"url": "https://git.kernel.org/stable/c/7ddd8deb1c3c0363a7e14fafb5df26e2089a69a5"
}
],
"title": "OPP: Fix potential null ptr dereference in dev_pm_opp_get_required_pstate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53664",
"datePublished": "2025-10-07T15:21:23.127Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:23.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53632 (GCVE-0-2023-53632)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Take RTNL lock when needed before calling xdp_set_features()
Hold RTNL lock when calling xdp_set_features() with a registered netdev,
as the call triggers the netdev notifiers. This could happen when
switching from uplink rep to nic profile for example.
This resolves the following call trace:
RTNL: assertion failed at net/core/dev.c (1953)
WARNING: CPU: 6 PID: 112670 at net/core/dev.c:1953 call_netdevice_notifiers_info+0x7c/0x80
Modules linked in: sch_mqprio sch_mqprio_lib act_tunnel_key act_mirred act_skbedit cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress bonding ib_umad ip_gre rdma_ucm mlx5_vfio_pci ipip tunnel4 ip6_gre gre mlx5_ib vfio_pci vfio_pci_core vfio_iommu_type1 ib_uverbs vfio mlx5_core ib_ipoib geneve nf_tables ip6_tunnel tunnel6 iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]
CPU: 6 PID: 112670 Comm: devlink Not tainted 6.4.0-rc7_for_upstream_min_debug_2023_06_28_17_02 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:call_netdevice_notifiers_info+0x7c/0x80
Code: 90 ff 80 3d 2d 6b f7 00 00 75 c5 ba a1 07 00 00 48 c7 c6 e4 ce 0b 82 48 c7 c7 c8 f4 04 82 c6 05 11 6b f7 00 01 e8 a4 7c 8e ff <0f> 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec
RSP: 0018:ffff8882a21c3948 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff82e6f880 RCX: 0000000000000027
RDX: ffff88885f99b5c8 RSI: 0000000000000001 RDI: ffff88885f99b5c0
RBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003
R10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff8882a21c3968
R13: ffff88811c018940 R14: 0000000000000000 R15: ffff8881274401a0
FS: 00007fe141c81800(0000) GS:ffff88885f980000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f787c28b948 CR3: 000000014bcf3005 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __warn+0x79/0x120
? call_netdevice_notifiers_info+0x7c/0x80
? report_bug+0x17c/0x190
? handle_bug+0x3c/0x60
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? call_netdevice_notifiers_info+0x7c/0x80
? call_netdevice_notifiers_info+0x7c/0x80
call_netdevice_notifiers+0x2e/0x50
mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core]
mlx5e_nic_init+0xf1/0x1a0 [mlx5_core]
mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core]
mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core]
mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core]
mlx5e_netdev_attach_nic_profile+0x1b/0x30 [mlx5_core]
mlx5e_vport_rep_unload+0xaa/0xc0 [mlx5_core]
__esw_offloads_unload_rep+0x52/0x60 [mlx5_core]
mlx5_esw_offloads_rep_unload+0x52/0x70 [mlx5_core]
esw_offloads_unload_rep+0x34/0x70 [mlx5_core]
esw_offloads_disable+0x2b/0x90 [mlx5_core]
mlx5_eswitch_disable_locked+0x1b9/0x210 [mlx5_core]
mlx5_devlink_eswitch_mode_set+0xf5/0x630 [mlx5_core]
? devlink_get_from_attrs_lock+0x9e/0x110
devlink_nl_cmd_eswitch_set_doit+0x60/0xe0
genl_family_rcv_msg_doit.isra.0+0xc2/0x110
genl_rcv_msg+0x17d/0x2b0
? devlink_get_from_attrs_lock+0x110/0x110
? devlink_nl_cmd_eswitch_get_doit+0x290/0x290
? devlink_pernet_pre_exit+0xf0/0xf0
? genl_family_rcv_msg_doit.isra.0+0x110/0x110
netlink_rcv_skb+0x54/0x100
genl_rcv+0x24/0x40
netlink_unicast+0x1f6/0x2c0
netlink_sendmsg+0x232/0x4a0
sock_sendmsg+0x38/0x60
? _copy_from_user+0x2a/0x60
__sys_sendto+0x110/0x160
? __count_memcg_events+0x48/0x90
? handle_mm_fault+0x161/0x260
? do_user_addr_fault+0x278/0x6e0
__x64_sys_sendto+0x20/0x30
do_syscall_64+0x3d/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16b7775ae4389dd1e885732ea610321c64284e5f",
"status": "affected",
"version": "4d5ab0ad964df178beba031b89429a601893ff61",
"versionType": "git"
},
{
"lessThan": "72cc654970658e88a1cdea08f06b11c218efa4da",
"status": "affected",
"version": "4d5ab0ad964df178beba031b89429a601893ff61",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Take RTNL lock when needed before calling xdp_set_features()\n\nHold RTNL lock when calling xdp_set_features() with a registered netdev,\nas the call triggers the netdev notifiers. This could happen when\nswitching from uplink rep to nic profile for example.\n\nThis resolves the following call trace:\n\nRTNL: assertion failed at net/core/dev.c (1953)\nWARNING: CPU: 6 PID: 112670 at net/core/dev.c:1953 call_netdevice_notifiers_info+0x7c/0x80\nModules linked in: sch_mqprio sch_mqprio_lib act_tunnel_key act_mirred act_skbedit cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress bonding ib_umad ip_gre rdma_ucm mlx5_vfio_pci ipip tunnel4 ip6_gre gre mlx5_ib vfio_pci vfio_pci_core vfio_iommu_type1 ib_uverbs vfio mlx5_core ib_ipoib geneve nf_tables ip6_tunnel tunnel6 iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]\nCPU: 6 PID: 112670 Comm: devlink Not tainted 6.4.0-rc7_for_upstream_min_debug_2023_06_28_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:call_netdevice_notifiers_info+0x7c/0x80\nCode: 90 ff 80 3d 2d 6b f7 00 00 75 c5 ba a1 07 00 00 48 c7 c6 e4 ce 0b 82 48 c7 c7 c8 f4 04 82 c6 05 11 6b f7 00 01 e8 a4 7c 8e ff \u003c0f\u003e 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec\nRSP: 0018:ffff8882a21c3948 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff82e6f880 RCX: 0000000000000027\nRDX: ffff88885f99b5c8 RSI: 0000000000000001 RDI: ffff88885f99b5c0\nRBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003\nR10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff8882a21c3968\nR13: ffff88811c018940 R14: 0000000000000000 R15: ffff8881274401a0\nFS: 00007fe141c81800(0000) GS:ffff88885f980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f787c28b948 CR3: 000000014bcf3005 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __warn+0x79/0x120\n ? call_netdevice_notifiers_info+0x7c/0x80\n ? report_bug+0x17c/0x190\n ? handle_bug+0x3c/0x60\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? call_netdevice_notifiers_info+0x7c/0x80\n ? call_netdevice_notifiers_info+0x7c/0x80\n call_netdevice_notifiers+0x2e/0x50\n mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core]\n mlx5e_nic_init+0xf1/0x1a0 [mlx5_core]\n mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core]\n mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core]\n mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core]\n mlx5e_netdev_attach_nic_profile+0x1b/0x30 [mlx5_core]\n mlx5e_vport_rep_unload+0xaa/0xc0 [mlx5_core]\n __esw_offloads_unload_rep+0x52/0x60 [mlx5_core]\n mlx5_esw_offloads_rep_unload+0x52/0x70 [mlx5_core]\n esw_offloads_unload_rep+0x34/0x70 [mlx5_core]\n esw_offloads_disable+0x2b/0x90 [mlx5_core]\n mlx5_eswitch_disable_locked+0x1b9/0x210 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0xf5/0x630 [mlx5_core]\n ? devlink_get_from_attrs_lock+0x9e/0x110\n devlink_nl_cmd_eswitch_set_doit+0x60/0xe0\n genl_family_rcv_msg_doit.isra.0+0xc2/0x110\n genl_rcv_msg+0x17d/0x2b0\n ? devlink_get_from_attrs_lock+0x110/0x110\n ? devlink_nl_cmd_eswitch_get_doit+0x290/0x290\n ? devlink_pernet_pre_exit+0xf0/0xf0\n ? genl_family_rcv_msg_doit.isra.0+0x110/0x110\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1f6/0x2c0\n netlink_sendmsg+0x232/0x4a0\n sock_sendmsg+0x38/0x60\n ? _copy_from_user+0x2a/0x60\n __sys_sendto+0x110/0x160\n ? __count_memcg_events+0x48/0x90\n ? handle_mm_fault+0x161/0x260\n ? do_user_addr_fault+0x278/0x6e0\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:34.970Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16b7775ae4389dd1e885732ea610321c64284e5f"
},
{
"url": "https://git.kernel.org/stable/c/72cc654970658e88a1cdea08f06b11c218efa4da"
}
],
"title": "net/mlx5e: Take RTNL lock when needed before calling xdp_set_features()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53632",
"datePublished": "2025-10-07T15:19:34.970Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:34.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50515 (GCVE-0-2022-50515)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()
If construction of the array of work queues to handle hpd_rx_irq offload
work fails, we need to unwind. Destroy all the created workqueues and
the allocated memory for the hpd_rx_irq_offload_work_queue struct array.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ba3814c00a4817eb1cd31eff08d921c40e5f3a4",
"status": "affected",
"version": "e980e1d978e0eb4c0399cff37f175779237db53b",
"versionType": "git"
},
{
"lessThan": "8b8da09da2701330e7f2c371655887e3d7defe90",
"status": "affected",
"version": "8e794421bc981586d0af4e959ec76d668c793a55",
"versionType": "git"
},
{
"lessThan": "600de40ed50c8b5ecb9c7a4f41eb882066c15a00",
"status": "affected",
"version": "8e794421bc981586d0af4e959ec76d668c793a55",
"versionType": "git"
},
{
"lessThan": "7136f956c73c4ba50bfeb61653dfd6a9669ea915",
"status": "affected",
"version": "8e794421bc981586d0af4e959ec76d668c793a55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.15.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()\n\nIf construction of the array of work queues to handle hpd_rx_irq offload\nwork fails, we need to unwind. Destroy all the created workqueues and\nthe allocated memory for the hpd_rx_irq_offload_work_queue struct array."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:10.970Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ba3814c00a4817eb1cd31eff08d921c40e5f3a4"
},
{
"url": "https://git.kernel.org/stable/c/8b8da09da2701330e7f2c371655887e3d7defe90"
},
{
"url": "https://git.kernel.org/stable/c/600de40ed50c8b5ecb9c7a4f41eb882066c15a00"
},
{
"url": "https://git.kernel.org/stable/c/7136f956c73c4ba50bfeb61653dfd6a9669ea915"
}
],
"title": "drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50515",
"datePublished": "2025-10-07T15:19:10.970Z",
"dateReserved": "2025-10-07T15:15:38.661Z",
"dateUpdated": "2025-10-07T15:19:10.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53637 (GCVE-0-2023-53637)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: ov772x: Fix memleak in ov772x_probe()
A memory leak was reported when testing ov772x with bpf mock device:
AssertionError: unreferenced object 0xffff888109afa7a8 (size 8):
comm "python3", pid 279, jiffies 4294805921 (age 20.681s)
hex dump (first 8 bytes):
80 22 88 15 81 88 ff ff ."......
backtrace:
[<000000009990b438>] __kmalloc_node+0x44/0x1b0
[<000000009e32f7d7>] kvmalloc_node+0x34/0x180
[<00000000faf48134>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev]
[<00000000da376937>] ov772x_probe+0x1c3/0x68c [ov772x]
[<000000003f0d225e>] i2c_device_probe+0x28d/0x680
[<00000000e0b6db89>] really_probe+0x17c/0x3f0
[<000000001b19fcee>] __driver_probe_device+0xe3/0x170
[<0000000048370519>] driver_probe_device+0x49/0x120
[<000000005ead07a0>] __device_attach_driver+0xf7/0x150
[<0000000043f452b8>] bus_for_each_drv+0x114/0x180
[<00000000358e5596>] __device_attach+0x1e5/0x2d0
[<0000000043f83c5d>] bus_probe_device+0x126/0x140
[<00000000ee0f3046>] device_add+0x810/0x1130
[<00000000e0278184>] i2c_new_client_device+0x359/0x4f0
[<0000000070baf34f>] of_i2c_register_device+0xf1/0x110
[<00000000a9f2159d>] of_i2c_notify+0x100/0x160
unreferenced object 0xffff888119825c00 (size 256):
comm "python3", pid 279, jiffies 4294805921 (age 20.681s)
hex dump (first 32 bytes):
00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^......
10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\.......\......
backtrace:
[<000000009990b438>] __kmalloc_node+0x44/0x1b0
[<000000009e32f7d7>] kvmalloc_node+0x34/0x180
[<0000000073d88e0b>] v4l2_ctrl_new.cold+0x19b/0x86f [videodev]
[<00000000b1f576fb>] v4l2_ctrl_new_std+0x16f/0x210 [videodev]
[<00000000caf7ac99>] ov772x_probe+0x1fa/0x68c [ov772x]
[<000000003f0d225e>] i2c_device_probe+0x28d/0x680
[<00000000e0b6db89>] really_probe+0x17c/0x3f0
[<000000001b19fcee>] __driver_probe_device+0xe3/0x170
[<0000000048370519>] driver_probe_device+0x49/0x120
[<000000005ead07a0>] __device_attach_driver+0xf7/0x150
[<0000000043f452b8>] bus_for_each_drv+0x114/0x180
[<00000000358e5596>] __device_attach+0x1e5/0x2d0
[<0000000043f83c5d>] bus_probe_device+0x126/0x140
[<00000000ee0f3046>] device_add+0x810/0x1130
[<00000000e0278184>] i2c_new_client_device+0x359/0x4f0
[<0000000070baf34f>] of_i2c_register_device+0xf1/0x110
The reason is that if priv->hdl.error is set, ov772x_probe() jumps to the
error_mutex_destroy without doing v4l2_ctrl_handler_free(), and all
resources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std()
are leaked.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/ov772x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc3b6011d7a9f149489eb9420c6305a779162c57",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "448ce1cd50387b1345ec14eb191ef05f7afc2a26",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "dfaafeb8e9537969e8dba75491f732478c7fa9d6",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "1da495101ef7507eb4f4b1dbec2874d740eff251",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "ac93f8ac66e60227bed42d5a023f0e6c15b52c0a",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "c86d760c1c6855a6131e78d0ddacc48c79324ac3",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "7485edb2b6ca5960205c0a49bedfd09bba30e521",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/ov772x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ov772x: Fix memleak in ov772x_probe()\n\nA memory leak was reported when testing ov772x with bpf mock device:\n\nAssertionError: unreferenced object 0xffff888109afa7a8 (size 8):\n comm \"python3\", pid 279, jiffies 4294805921 (age 20.681s)\n hex dump (first 8 bytes):\n 80 22 88 15 81 88 ff ff .\"......\n backtrace:\n [\u003c000000009990b438\u003e] __kmalloc_node+0x44/0x1b0\n [\u003c000000009e32f7d7\u003e] kvmalloc_node+0x34/0x180\n [\u003c00000000faf48134\u003e] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev]\n [\u003c00000000da376937\u003e] ov772x_probe+0x1c3/0x68c [ov772x]\n [\u003c000000003f0d225e\u003e] i2c_device_probe+0x28d/0x680\n [\u003c00000000e0b6db89\u003e] really_probe+0x17c/0x3f0\n [\u003c000000001b19fcee\u003e] __driver_probe_device+0xe3/0x170\n [\u003c0000000048370519\u003e] driver_probe_device+0x49/0x120\n [\u003c000000005ead07a0\u003e] __device_attach_driver+0xf7/0x150\n [\u003c0000000043f452b8\u003e] bus_for_each_drv+0x114/0x180\n [\u003c00000000358e5596\u003e] __device_attach+0x1e5/0x2d0\n [\u003c0000000043f83c5d\u003e] bus_probe_device+0x126/0x140\n [\u003c00000000ee0f3046\u003e] device_add+0x810/0x1130\n [\u003c00000000e0278184\u003e] i2c_new_client_device+0x359/0x4f0\n [\u003c0000000070baf34f\u003e] of_i2c_register_device+0xf1/0x110\n [\u003c00000000a9f2159d\u003e] of_i2c_notify+0x100/0x160\nunreferenced object 0xffff888119825c00 (size 256):\n comm \"python3\", pid 279, jiffies 4294805921 (age 20.681s)\n hex dump (first 32 bytes):\n 00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^......\n 10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\\.......\\......\n backtrace:\n [\u003c000000009990b438\u003e] __kmalloc_node+0x44/0x1b0\n [\u003c000000009e32f7d7\u003e] kvmalloc_node+0x34/0x180\n [\u003c0000000073d88e0b\u003e] v4l2_ctrl_new.cold+0x19b/0x86f [videodev]\n [\u003c00000000b1f576fb\u003e] v4l2_ctrl_new_std+0x16f/0x210 [videodev]\n [\u003c00000000caf7ac99\u003e] ov772x_probe+0x1fa/0x68c [ov772x]\n [\u003c000000003f0d225e\u003e] i2c_device_probe+0x28d/0x680\n [\u003c00000000e0b6db89\u003e] really_probe+0x17c/0x3f0\n [\u003c000000001b19fcee\u003e] __driver_probe_device+0xe3/0x170\n [\u003c0000000048370519\u003e] driver_probe_device+0x49/0x120\n [\u003c000000005ead07a0\u003e] __device_attach_driver+0xf7/0x150\n [\u003c0000000043f452b8\u003e] bus_for_each_drv+0x114/0x180\n [\u003c00000000358e5596\u003e] __device_attach+0x1e5/0x2d0\n [\u003c0000000043f83c5d\u003e] bus_probe_device+0x126/0x140\n [\u003c00000000ee0f3046\u003e] device_add+0x810/0x1130\n [\u003c00000000e0278184\u003e] i2c_new_client_device+0x359/0x4f0\n [\u003c0000000070baf34f\u003e] of_i2c_register_device+0xf1/0x110\n\nThe reason is that if priv-\u003ehdl.error is set, ov772x_probe() jumps to the\nerror_mutex_destroy without doing v4l2_ctrl_handler_free(), and all\nresources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std()\nare leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:38.317Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc3b6011d7a9f149489eb9420c6305a779162c57"
},
{
"url": "https://git.kernel.org/stable/c/448ce1cd50387b1345ec14eb191ef05f7afc2a26"
},
{
"url": "https://git.kernel.org/stable/c/dfaafeb8e9537969e8dba75491f732478c7fa9d6"
},
{
"url": "https://git.kernel.org/stable/c/1da495101ef7507eb4f4b1dbec2874d740eff251"
},
{
"url": "https://git.kernel.org/stable/c/ac93f8ac66e60227bed42d5a023f0e6c15b52c0a"
},
{
"url": "https://git.kernel.org/stable/c/c86d760c1c6855a6131e78d0ddacc48c79324ac3"
},
{
"url": "https://git.kernel.org/stable/c/7485edb2b6ca5960205c0a49bedfd09bba30e521"
}
],
"title": "media: i2c: ov772x: Fix memleak in ov772x_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53637",
"datePublished": "2025-10-07T15:19:38.317Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:38.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50514 (GCVE-0-2022-50514)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: fix refcount leak on error path
When failing to allocate report_desc, opts->refcnt has already been
incremented so it needs to be decremented to avoid leaving the options
structure permanently locked.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95412c932b3c9e8cc4431dac4fac8fcd80d54982",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "80dc47e751a837106c09bec73964ff8f7ea280b4",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "e88b89a096af0001bcff6bf7ad2feb1486487173",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "9d4a0aca8a75550d3456c8de339a341dc4536ec5",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "ba78f7c10606719f702c04a15fb0471507b32d7b",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "216437dd64fce36791a3b6cc8f8013df36856958",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "70a3288a7586526315105c699b687d78cd32559a",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: fix refcount leak on error path\n\nWhen failing to allocate report_desc, opts-\u003erefcnt has already been\nincremented so it needs to be decremented to avoid leaving the options\nstructure permanently locked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:10.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95412c932b3c9e8cc4431dac4fac8fcd80d54982"
},
{
"url": "https://git.kernel.org/stable/c/80dc47e751a837106c09bec73964ff8f7ea280b4"
},
{
"url": "https://git.kernel.org/stable/c/e88b89a096af0001bcff6bf7ad2feb1486487173"
},
{
"url": "https://git.kernel.org/stable/c/9d4a0aca8a75550d3456c8de339a341dc4536ec5"
},
{
"url": "https://git.kernel.org/stable/c/ba78f7c10606719f702c04a15fb0471507b32d7b"
},
{
"url": "https://git.kernel.org/stable/c/216437dd64fce36791a3b6cc8f8013df36856958"
},
{
"url": "https://git.kernel.org/stable/c/70a3288a7586526315105c699b687d78cd32559a"
}
],
"title": "usb: gadget: f_hid: fix refcount leak on error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50514",
"datePublished": "2025-10-07T15:19:10.253Z",
"dateReserved": "2025-10-07T15:15:38.661Z",
"dateUpdated": "2025-10-07T15:19:10.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53657 (GCVE-0-2023-53657)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Don't tx before switchdev is fully configured
There is possibility that ice_eswitch_port_start_xmit might be
called while some resources are still not allocated which might
cause NULL pointer dereference. Fix this by checking if switchdev
configuration was finished.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_eswitch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5760a72b3060150b587eff3e879648c7470efddd",
"status": "affected",
"version": "f5396b8a663f7a78ee5b75a47ee524b40795b265",
"versionType": "git"
},
{
"lessThan": "63ff5a94649837d980e3b9ef535c793ec8cb0ca7",
"status": "affected",
"version": "f5396b8a663f7a78ee5b75a47ee524b40795b265",
"versionType": "git"
},
{
"lessThan": "7aa529a69e92b9aff585e569d5003f7c15d8d60b",
"status": "affected",
"version": "f5396b8a663f7a78ee5b75a47ee524b40795b265",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_eswitch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don\u0027t tx before switchdev is fully configured\n\nThere is possibility that ice_eswitch_port_start_xmit might be\ncalled while some resources are still not allocated which might\ncause NULL pointer dereference. Fix this by checking if switchdev\nconfiguration was finished."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:40.984Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5760a72b3060150b587eff3e879648c7470efddd"
},
{
"url": "https://git.kernel.org/stable/c/63ff5a94649837d980e3b9ef535c793ec8cb0ca7"
},
{
"url": "https://git.kernel.org/stable/c/7aa529a69e92b9aff585e569d5003f7c15d8d60b"
}
],
"title": "ice: Don\u0027t tx before switchdev is fully configured",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53657",
"datePublished": "2025-10-07T15:21:18.268Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-29T10:50:40.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53663 (GCVE-0-2023-53663)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: nSVM: Check instead of asserting on nested TSC scaling support
Check for nested TSC scaling support on nested SVM VMRUN instead of
asserting that TSC scaling is exposed to L1 if L1's MSR_AMD64_TSC_RATIO
has diverged from KVM's default. Userspace can trigger the WARN at will
by writing the MSR and then updating guest CPUID to hide the feature
(modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking
KVM's state_test selftest to do
vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);
vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);
after restoring state in a new VM+vCPU yields an endless supply of:
------------[ cut here ]------------
WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699
nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd]
Call Trace:
<TASK>
enter_svm_guest_mode+0x114/0x560 [kvm_amd]
nested_svm_vmrun+0x260/0x330 [kvm_amd]
vmrun_interception+0x29/0x30 [kvm_amd]
svm_invoke_exit_handler+0x35/0x100 [kvm_amd]
svm_handle_exit+0xe7/0x180 [kvm_amd]
kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]
kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]
__se_sys_ioctl+0x7a/0xc0
__x64_sys_ioctl+0x21/0x30
do_syscall_64+0x41/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x45ca1b
Note, the nested #VMEXIT path has the same flaw, but needs a different
fix and will be handled separately.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c1ecfea1daf6e75c46e295aad99dfbafd878897",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
},
{
"lessThan": "02b24270568f65dd607c4a848512dc8055b4491b",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
},
{
"lessThan": "7cafe9b8e22bb3d77f130c461aedf6868c4aaf58",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Check instead of asserting on nested TSC scaling support\n\nCheck for nested TSC scaling support on nested SVM VMRUN instead of\nasserting that TSC scaling is exposed to L1 if L1\u0027s MSR_AMD64_TSC_RATIO\nhas diverged from KVM\u0027s default. Userspace can trigger the WARN at will\nby writing the MSR and then updating guest CPUID to hide the feature\n(modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking\nKVM\u0027s state_test selftest to do\n\n\t\tvcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\n\t\tvcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\n\nafter restoring state in a new VM+vCPU yields an endless supply of:\n\n ------------[ cut here ]------------\n WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699\n nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd]\n Call Trace:\n \u003cTASK\u003e\n enter_svm_guest_mode+0x114/0x560 [kvm_amd]\n nested_svm_vmrun+0x260/0x330 [kvm_amd]\n vmrun_interception+0x29/0x30 [kvm_amd]\n svm_invoke_exit_handler+0x35/0x100 [kvm_amd]\n svm_handle_exit+0xe7/0x180 [kvm_amd]\n kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\n kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n __se_sys_ioctl+0x7a/0xc0\n __x64_sys_ioctl+0x21/0x30\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x45ca1b\n\nNote, the nested #VMEXIT path has the same flaw, but needs a different\nfix and will be handled separately."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:22.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c1ecfea1daf6e75c46e295aad99dfbafd878897"
},
{
"url": "https://git.kernel.org/stable/c/02b24270568f65dd607c4a848512dc8055b4491b"
},
{
"url": "https://git.kernel.org/stable/c/7cafe9b8e22bb3d77f130c461aedf6868c4aaf58"
}
],
"title": "KVM: nSVM: Check instead of asserting on nested TSC scaling support",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53663",
"datePublished": "2025-10-07T15:21:22.400Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:22.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50522 (GCVE-0-2022-50522)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount
of bus and device name are leaked. Fix this by calling put_device() to give up
the reference, so they can be released in mcb_release_dev() and kobject_cleanup().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 Version: 3764e82e5150d87b205c10cd78a9c9ab86fbfa51 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mcb/mcb-parse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "891f606ae0765bc9ca99f5276735be4d338f0255",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
},
{
"lessThan": "cf6e70c0ced50b52415ac0c88eba1fb09c500a5a",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
},
{
"lessThan": "fd85ece416fd7edb945203e59d4cd94952f77e7c",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
},
{
"lessThan": "110dc34c9fa33d37f55b394b1199ea6c0ad1ee84",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
},
{
"lessThan": "7b289b791a59386dc23a00d3cf17a0db984b40d3",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
},
{
"lessThan": "43bfc7c2402a22d3b4eb08c040f274ba2b76461a",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
},
{
"lessThan": "b948baa29394ec5f4e6ec28486e7d06a76caee91",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
},
{
"lessThan": "4a9f1a8b3af287581ffb690d0e1593c681729ddb",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
},
{
"lessThan": "728ac3389296caf68638628c987aeae6c8851e2d",
"status": "affected",
"version": "3764e82e5150d87b205c10cd78a9c9ab86fbfa51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mcb/mcb-parse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmcb: mcb-parse: fix error handing in chameleon_parse_gdd()\n\nIf mcb_device_register() returns error in chameleon_parse_gdd(), the refcount\nof bus and device name are leaked. Fix this by calling put_device() to give up\nthe reference, so they can be released in mcb_release_dev() and kobject_cleanup()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:15.923Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/891f606ae0765bc9ca99f5276735be4d338f0255"
},
{
"url": "https://git.kernel.org/stable/c/cf6e70c0ced50b52415ac0c88eba1fb09c500a5a"
},
{
"url": "https://git.kernel.org/stable/c/fd85ece416fd7edb945203e59d4cd94952f77e7c"
},
{
"url": "https://git.kernel.org/stable/c/110dc34c9fa33d37f55b394b1199ea6c0ad1ee84"
},
{
"url": "https://git.kernel.org/stable/c/7b289b791a59386dc23a00d3cf17a0db984b40d3"
},
{
"url": "https://git.kernel.org/stable/c/43bfc7c2402a22d3b4eb08c040f274ba2b76461a"
},
{
"url": "https://git.kernel.org/stable/c/b948baa29394ec5f4e6ec28486e7d06a76caee91"
},
{
"url": "https://git.kernel.org/stable/c/4a9f1a8b3af287581ffb690d0e1593c681729ddb"
},
{
"url": "https://git.kernel.org/stable/c/728ac3389296caf68638628c987aeae6c8851e2d"
}
],
"title": "mcb: mcb-parse: fix error handing in chameleon_parse_gdd()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50522",
"datePublished": "2025-10-07T15:19:15.923Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:15.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53685 (GCVE-0-2023-53685)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: Fix memory leak for detached NAPI queue.
syzkaller reported [0] memory leaks of sk and skb related to the TUN
device with no repro, but we can reproduce it easily with:
struct ifreq ifr = {}
int fd_tun, fd_tmp;
char buf[4] = {};
fd_tun = openat(AT_FDCWD, "/dev/net/tun", O_WRONLY, 0);
ifr.ifr_flags = IFF_TUN | IFF_NAPI | IFF_MULTI_QUEUE;
ioctl(fd_tun, TUNSETIFF, &ifr);
ifr.ifr_flags = IFF_DETACH_QUEUE;
ioctl(fd_tun, TUNSETQUEUE, &ifr);
fd_tmp = socket(AF_PACKET, SOCK_PACKET, 0);
ifr.ifr_flags = IFF_UP;
ioctl(fd_tmp, SIOCSIFFLAGS, &ifr);
write(fd_tun, buf, sizeof(buf));
close(fd_tun);
If we enable NAPI and multi-queue on a TUN device, we can put skb into
tfile->sk.sk_write_queue after the queue is detached. We should prevent
it by checking tfile->detached before queuing skb.
Note this must be done under tfile->sk.sk_write_queue.lock because write()
and ioctl(IFF_DETACH_QUEUE) can run concurrently. Otherwise, there would
be a small race window:
write() ioctl(IFF_DETACH_QUEUE)
`- tun_get_user `- __tun_detach
|- if (tfile->detached) |- tun_disable_queue
| `-> false | `- tfile->detached = tun
| `- tun_queue_purge
|- spin_lock_bh(&queue->lock)
`- __skb_queue_tail(queue, skb)
Another solution is to call tun_queue_purge() when closing and
reattaching the detached queue, but it could paper over another
problems. Also, we do the same kind of test for IFF_NAPI_FRAGS.
[0]:
unreferenced object 0xffff88801edbc800 (size 2048):
comm "syz-executor.1", pid 33269, jiffies 4295743834 (age 18.756s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
backtrace:
[<000000008c16ea3d>] __do_kmalloc_node mm/slab_common.c:965 [inline]
[<000000008c16ea3d>] __kmalloc+0x4a/0x130 mm/slab_common.c:979
[<000000003addde56>] kmalloc include/linux/slab.h:563 [inline]
[<000000003addde56>] sk_prot_alloc+0xef/0x1b0 net/core/sock.c:2035
[<000000003e20621f>] sk_alloc+0x36/0x2f0 net/core/sock.c:2088
[<0000000028e43843>] tun_chr_open+0x3d/0x190 drivers/net/tun.c:3438
[<000000001b0f1f28>] misc_open+0x1a6/0x1f0 drivers/char/misc.c:165
[<000000004376f706>] chrdev_open+0x111/0x300 fs/char_dev.c:414
[<00000000614d379f>] do_dentry_open+0x2f9/0x750 fs/open.c:920
[<000000008eb24774>] do_open fs/namei.c:3636 [inline]
[<000000008eb24774>] path_openat+0x143f/0x1a30 fs/namei.c:3791
[<00000000955077b5>] do_filp_open+0xce/0x1c0 fs/namei.c:3818
[<00000000b78973b0>] do_sys_openat2+0xf0/0x260 fs/open.c:1356
[<00000000057be699>] do_sys_open fs/open.c:1372 [inline]
[<00000000057be699>] __do_sys_openat fs/open.c:1388 [inline]
[<00000000057be699>] __se_sys_openat fs/open.c:1383 [inline]
[<00000000057be699>] __x64_sys_openat+0x83/0xf0 fs/open.c:1383
[<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80
[<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
unreferenced object 0xffff88802f671700 (size 240):
comm "syz-executor.1", pid 33269, jiffies 4295743854 (age 18.736s)
hex dump (first 32 bytes):
68 c9 db 1e 80 88 ff ff 68 c9 db 1e 80 88 ff ff h.......h.......
00 c0 7b 2f 80 88 ff ff 00 c8 db 1e 80 88 ff ff ..{/............
backtrace:
[<00000000e9d9fdb6>] __alloc_skb+0x223/0x250 net/core/skbuff.c:644
[<000000002c3e4e0b>] alloc_skb include/linux/skbuff.h:1288 [inline]
[<000000002c3e4e0b>] alloc_skb_with_frags+0x6f/0x350 net/core/skbuff.c:6378
[<00000000825f98d7>] sock_alloc_send_pskb+0x3ac/0x3e0 net/core/sock.c:2729
[<00000000e9eb3df3>] tun_alloc_skb drivers/net/tun.c:1529 [inline]
[<
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9cae243b9ae25adfe468cd47ceca591f6725b79c",
"status": "affected",
"version": "cde8b15f1aabe327038ee4e0e11dd6b798572f69",
"versionType": "git"
},
{
"lessThan": "0d20210a190f76db9ec35ee4e0fc77e6c7a148f5",
"status": "affected",
"version": "cde8b15f1aabe327038ee4e0e11dd6b798572f69",
"versionType": "git"
},
{
"lessThan": "82b2bc279467c875ec36f8ef820f00997c2a4e8e",
"status": "affected",
"version": "cde8b15f1aabe327038ee4e0e11dd6b798572f69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: Fix memory leak for detached NAPI queue.\n\nsyzkaller reported [0] memory leaks of sk and skb related to the TUN\ndevice with no repro, but we can reproduce it easily with:\n\n struct ifreq ifr = {}\n int fd_tun, fd_tmp;\n char buf[4] = {};\n\n fd_tun = openat(AT_FDCWD, \"/dev/net/tun\", O_WRONLY, 0);\n ifr.ifr_flags = IFF_TUN | IFF_NAPI | IFF_MULTI_QUEUE;\n ioctl(fd_tun, TUNSETIFF, \u0026ifr);\n\n ifr.ifr_flags = IFF_DETACH_QUEUE;\n ioctl(fd_tun, TUNSETQUEUE, \u0026ifr);\n\n fd_tmp = socket(AF_PACKET, SOCK_PACKET, 0);\n ifr.ifr_flags = IFF_UP;\n ioctl(fd_tmp, SIOCSIFFLAGS, \u0026ifr);\n\n write(fd_tun, buf, sizeof(buf));\n close(fd_tun);\n\nIf we enable NAPI and multi-queue on a TUN device, we can put skb into\ntfile-\u003esk.sk_write_queue after the queue is detached. We should prevent\nit by checking tfile-\u003edetached before queuing skb.\n\nNote this must be done under tfile-\u003esk.sk_write_queue.lock because write()\nand ioctl(IFF_DETACH_QUEUE) can run concurrently. Otherwise, there would\nbe a small race window:\n\n write() ioctl(IFF_DETACH_QUEUE)\n `- tun_get_user `- __tun_detach\n |- if (tfile-\u003edetached) |- tun_disable_queue\n | `-\u003e false | `- tfile-\u003edetached = tun\n | `- tun_queue_purge\n |- spin_lock_bh(\u0026queue-\u003elock)\n `- __skb_queue_tail(queue, skb)\n\nAnother solution is to call tun_queue_purge() when closing and\nreattaching the detached queue, but it could paper over another\nproblems. Also, we do the same kind of test for IFF_NAPI_FRAGS.\n\n[0]:\nunreferenced object 0xffff88801edbc800 (size 2048):\n comm \"syz-executor.1\", pid 33269, jiffies 4295743834 (age 18.756s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [\u003c000000008c16ea3d\u003e] __do_kmalloc_node mm/slab_common.c:965 [inline]\n [\u003c000000008c16ea3d\u003e] __kmalloc+0x4a/0x130 mm/slab_common.c:979\n [\u003c000000003addde56\u003e] kmalloc include/linux/slab.h:563 [inline]\n [\u003c000000003addde56\u003e] sk_prot_alloc+0xef/0x1b0 net/core/sock.c:2035\n [\u003c000000003e20621f\u003e] sk_alloc+0x36/0x2f0 net/core/sock.c:2088\n [\u003c0000000028e43843\u003e] tun_chr_open+0x3d/0x190 drivers/net/tun.c:3438\n [\u003c000000001b0f1f28\u003e] misc_open+0x1a6/0x1f0 drivers/char/misc.c:165\n [\u003c000000004376f706\u003e] chrdev_open+0x111/0x300 fs/char_dev.c:414\n [\u003c00000000614d379f\u003e] do_dentry_open+0x2f9/0x750 fs/open.c:920\n [\u003c000000008eb24774\u003e] do_open fs/namei.c:3636 [inline]\n [\u003c000000008eb24774\u003e] path_openat+0x143f/0x1a30 fs/namei.c:3791\n [\u003c00000000955077b5\u003e] do_filp_open+0xce/0x1c0 fs/namei.c:3818\n [\u003c00000000b78973b0\u003e] do_sys_openat2+0xf0/0x260 fs/open.c:1356\n [\u003c00000000057be699\u003e] do_sys_open fs/open.c:1372 [inline]\n [\u003c00000000057be699\u003e] __do_sys_openat fs/open.c:1388 [inline]\n [\u003c00000000057be699\u003e] __se_sys_openat fs/open.c:1383 [inline]\n [\u003c00000000057be699\u003e] __x64_sys_openat+0x83/0xf0 fs/open.c:1383\n [\u003c00000000a7d2182d\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [\u003c00000000a7d2182d\u003e] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80\n [\u003c000000004cc4e8c4\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nunreferenced object 0xffff88802f671700 (size 240):\n comm \"syz-executor.1\", pid 33269, jiffies 4295743854 (age 18.736s)\n hex dump (first 32 bytes):\n 68 c9 db 1e 80 88 ff ff 68 c9 db 1e 80 88 ff ff h.......h.......\n 00 c0 7b 2f 80 88 ff ff 00 c8 db 1e 80 88 ff ff ..{/............\n backtrace:\n [\u003c00000000e9d9fdb6\u003e] __alloc_skb+0x223/0x250 net/core/skbuff.c:644\n [\u003c000000002c3e4e0b\u003e] alloc_skb include/linux/skbuff.h:1288 [inline]\n [\u003c000000002c3e4e0b\u003e] alloc_skb_with_frags+0x6f/0x350 net/core/skbuff.c:6378\n [\u003c00000000825f98d7\u003e] sock_alloc_send_pskb+0x3ac/0x3e0 net/core/sock.c:2729\n [\u003c00000000e9eb3df3\u003e] tun_alloc_skb drivers/net/tun.c:1529 [inline]\n [\u003c\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:38.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9cae243b9ae25adfe468cd47ceca591f6725b79c"
},
{
"url": "https://git.kernel.org/stable/c/0d20210a190f76db9ec35ee4e0fc77e6c7a148f5"
},
{
"url": "https://git.kernel.org/stable/c/82b2bc279467c875ec36f8ef820f00997c2a4e8e"
}
],
"title": "tun: Fix memory leak for detached NAPI queue.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53685",
"datePublished": "2025-10-07T15:21:38.124Z",
"dateReserved": "2025-10-07T15:16:59.665Z",
"dateUpdated": "2025-10-07T15:21:38.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50510 (GCVE-0-2022-50510)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()
arm_smmu_pmu_init() won't remove the callback added by
cpuhp_setup_state_multi() when platform_driver_register() failed. Remove
the callback by cpuhp_remove_multi_state() in fail path.
Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus:
arm-ccn: Prevent hotplug callback leak")
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7d839b4b9e00645e49345d6ce5dfa8edf53c1a21 Version: 7d839b4b9e00645e49345d6ce5dfa8edf53c1a21 Version: 7d839b4b9e00645e49345d6ce5dfa8edf53c1a21 Version: 7d839b4b9e00645e49345d6ce5dfa8edf53c1a21 Version: 7d839b4b9e00645e49345d6ce5dfa8edf53c1a21 Version: 7d839b4b9e00645e49345d6ce5dfa8edf53c1a21 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm_smmuv3_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d69bdb61d577297d3851fc9f6403574bf73ef41f",
"status": "affected",
"version": "7d839b4b9e00645e49345d6ce5dfa8edf53c1a21",
"versionType": "git"
},
{
"lessThan": "359286f886feef38536eaa7e673dc3440f03b0a1",
"status": "affected",
"version": "7d839b4b9e00645e49345d6ce5dfa8edf53c1a21",
"versionType": "git"
},
{
"lessThan": "b131304fe722853cf26e55c4fa21fc58a36e7f21",
"status": "affected",
"version": "7d839b4b9e00645e49345d6ce5dfa8edf53c1a21",
"versionType": "git"
},
{
"lessThan": "f245ca9a0fe7f794a8187ad803d5e2ced5a11cb2",
"status": "affected",
"version": "7d839b4b9e00645e49345d6ce5dfa8edf53c1a21",
"versionType": "git"
},
{
"lessThan": "582babe17ea878ec1d76f30e03f3a6ce6e30eb91",
"status": "affected",
"version": "7d839b4b9e00645e49345d6ce5dfa8edf53c1a21",
"versionType": "git"
},
{
"lessThan": "6f2d566b46436a50a80d6445e82879686b89588c",
"status": "affected",
"version": "7d839b4b9e00645e49345d6ce5dfa8edf53c1a21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm_smmuv3_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()\n\narm_smmu_pmu_init() won\u0027t remove the callback added by\ncpuhp_setup_state_multi() when platform_driver_register() failed. Remove\nthe callback by cpuhp_remove_multi_state() in fail path.\n\nSimilar to the handling of arm_ccn_init() in commit 26242b330093 (\"bus:\narm-ccn: Prevent hotplug callback leak\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:07.425Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d69bdb61d577297d3851fc9f6403574bf73ef41f"
},
{
"url": "https://git.kernel.org/stable/c/359286f886feef38536eaa7e673dc3440f03b0a1"
},
{
"url": "https://git.kernel.org/stable/c/b131304fe722853cf26e55c4fa21fc58a36e7f21"
},
{
"url": "https://git.kernel.org/stable/c/f245ca9a0fe7f794a8187ad803d5e2ced5a11cb2"
},
{
"url": "https://git.kernel.org/stable/c/582babe17ea878ec1d76f30e03f3a6ce6e30eb91"
},
{
"url": "https://git.kernel.org/stable/c/6f2d566b46436a50a80d6445e82879686b89588c"
}
],
"title": "perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50510",
"datePublished": "2025-10-07T15:19:07.425Z",
"dateReserved": "2025-10-07T15:11:44.887Z",
"dateUpdated": "2025-10-07T15:19:07.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53667 (GCVE-0-2023-53667)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than
the calculated "min" value, but greater than zero, the logic sets
tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in
cdc_ncm_fill_tx_frame() where all the data is handled.
For small values of dwNtbOutMaxSize the memory allocated during
alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to
how size is aligned at alloc time:
size = SKB_DATA_ALIGN(size);
size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
Thus we hit the same bug that we tried to squash with
commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")
Low values of dwNtbOutMaxSize do not cause an issue presently because at
alloc_skb() time more memory (512b) is allocated than required for the
SKB headers alone (320b), leaving some space (512b - 320b = 192b)
for CDC data (172b).
However, if more elements (for example 3 x u64 = [24b]) were added to
one of the SKB header structs, say 'struct skb_shared_info',
increasing its original size (320b [320b aligned]) to something larger
(344b [384b aligned]), then suddenly the CDC data (172b) no longer
fits in the spare SKB data area (512b - 384b = 128b).
Consequently the SKB bounds checking semantics fails and panics:
skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
[snip]
Call Trace:
<TASK>
skb_put+0x151/0x210 net/core/skbuff.c:2047
skb_put_zero include/linux/skbuff.h:2422 [inline]
cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]
cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308
cdc_ncm_tx_fixup+0xa3/0x100
Deal with too low values of dwNtbOutMaxSize, clamp it in the range
[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure
enough data space is allocated to handle CDC data by making sure
dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2334ff0b343ba6ba7a6c0586fcc83992bbbc1776",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "bf415bfe7573596ac213b4fd1da9e62cfc9a9413",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "ff484163dfb61b58f23e4dbd007de1094427669c",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "42b78c8cc774b47023d6d16d96d54cc7015e4a07",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "9be921854e983a81a0aeeae5febcd87093086e46",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "6147745d43ff4e0d2c542e5b93e398ef0ee4db00",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "72d0240b0ee4794efc683975c213e4b384fea733",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "7e01c7f7046efc2c7c192c3619db43292b98e997",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.317",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.317",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.285",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.245",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_ncm: Deal with too low values of dwNtbOutMaxSize\n\nCurrently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than\nthe calculated \"min\" value, but greater than zero, the logic sets\ntx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in\ncdc_ncm_fill_tx_frame() where all the data is handled.\n\nFor small values of dwNtbOutMaxSize the memory allocated during\nalloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to\nhow size is aligned at alloc time:\n\tsize = SKB_DATA_ALIGN(size);\n size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));\nThus we hit the same bug that we tried to squash with\ncommit 2be6d4d16a084 (\"net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero\")\n\nLow values of dwNtbOutMaxSize do not cause an issue presently because at\nalloc_skb() time more memory (512b) is allocated than required for the\nSKB headers alone (320b), leaving some space (512b - 320b = 192b)\nfor CDC data (172b).\n\nHowever, if more elements (for example 3 x u64 = [24b]) were added to\none of the SKB header structs, say \u0027struct skb_shared_info\u0027,\nincreasing its original size (320b [320b aligned]) to something larger\n(344b [384b aligned]), then suddenly the CDC data (172b) no longer\nfits in the spare SKB data area (512b - 384b = 128b).\n\nConsequently the SKB bounds checking semantics fails and panics:\n\nskbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:\u003cNULL\u003e\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:113!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:skb_panic net/core/skbuff.c:113 [inline]\nRIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118\n[snip]\nCall Trace:\n \u003cTASK\u003e\n skb_put+0x151/0x210 net/core/skbuff.c:2047\n skb_put_zero include/linux/skbuff.h:2422 [inline]\n cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]\n cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308\n cdc_ncm_tx_fixup+0xa3/0x100\n\nDeal with too low values of dwNtbOutMaxSize, clamp it in the range\n[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure\nenough data space is allocated to handle CDC data by making sure\ndwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:25.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2334ff0b343ba6ba7a6c0586fcc83992bbbc1776"
},
{
"url": "https://git.kernel.org/stable/c/bf415bfe7573596ac213b4fd1da9e62cfc9a9413"
},
{
"url": "https://git.kernel.org/stable/c/ff484163dfb61b58f23e4dbd007de1094427669c"
},
{
"url": "https://git.kernel.org/stable/c/42b78c8cc774b47023d6d16d96d54cc7015e4a07"
},
{
"url": "https://git.kernel.org/stable/c/9be921854e983a81a0aeeae5febcd87093086e46"
},
{
"url": "https://git.kernel.org/stable/c/6147745d43ff4e0d2c542e5b93e398ef0ee4db00"
},
{
"url": "https://git.kernel.org/stable/c/72d0240b0ee4794efc683975c213e4b384fea733"
},
{
"url": "https://git.kernel.org/stable/c/7e01c7f7046efc2c7c192c3619db43292b98e997"
}
],
"title": "net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53667",
"datePublished": "2025-10-07T15:21:25.185Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:25.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53659 (GCVE-0-2023-53659)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: Fix out-of-bounds when setting channels on remove
If we set channels greater during iavf_remove(), and waiting reset done
would be timeout, then returned with error but changed num_active_queues
directly, that will lead to OOB like the following logs. Because the
num_active_queues is greater than tx/rx_rings[] allocated actually.
Reproducer:
[root@host ~]# cat repro.sh
#!/bin/bash
pf_dbsf="0000:41:00.0"
vf0_dbsf="0000:41:02.0"
g_pids=()
function do_set_numvf()
{
echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs
sleep $((RANDOM%3+1))
echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs
sleep $((RANDOM%3+1))
}
function do_set_channel()
{
local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)
[ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; }
ifconfig $nic 192.168.18.5 netmask 255.255.255.0
ifconfig $nic up
ethtool -L $nic combined 1
ethtool -L $nic combined 4
sleep $((RANDOM%3))
}
function on_exit()
{
local pid
for pid in "${g_pids[@]}"; do
kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null
done
g_pids=()
}
trap "on_exit; exit" EXIT
while :; do do_set_numvf ; done &
g_pids+=($!)
while :; do do_set_channel ; done &
g_pids+=($!)
wait
Result:
[ 3506.152887] iavf 0000:41:02.0: Removing device
[ 3510.400799] ==================================================================
[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf]
[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536
[ 3510.400823]
[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1
[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021
[ 3510.400835] Call Trace:
[ 3510.400851] dump_stack+0x71/0xab
[ 3510.400860] print_address_description+0x6b/0x290
[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf]
[ 3510.400868] kasan_report+0x14a/0x2b0
[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf]
[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf]
[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf]
[ 3510.400891] ? wait_woken+0x1d0/0x1d0
[ 3510.400895] ? notifier_call_chain+0xc1/0x130
[ 3510.400903] pci_device_remove+0xa8/0x1f0
[ 3510.400910] device_release_driver_internal+0x1c6/0x460
[ 3510.400916] pci_stop_bus_device+0x101/0x150
[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20
[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420
[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10
[ 3510.400929] ? pci_get_subsys+0x90/0x90
[ 3510.400932] sriov_disable+0xed/0x3e0
[ 3510.400936] ? bus_find_device+0x12d/0x1a0
[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e]
[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e]
[ 3510.400968] ? pci_get_device+0x7c/0x90
[ 3510.400970] ? pci_get_subsys+0x90/0x90
[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210
[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10
[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]
[ 3510.401001] sriov_numvfs_store+0x214/0x290
[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30
[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10
[ 3510.401011] ? __check_object_size+0x15a/0x350
[ 3510.401018] kernfs_fop_write+0x280/0x3f0
[ 3510.401022] vfs_write+0x145/0x440
[ 3510.401025] ksys_write+0xab/0x160
[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0
[ 3510.401031] ? fput_many+0x1a/0x120
[ 3510.401032] ? filp_close+0xf0/0x130
[ 3510.401038] do_syscall_64+0xa0/0x370
[ 3510.401041] ? page_fault+0x8/0x30
[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca
[ 3510.401073] RIP: 0033:0x7f3a9bb842c0
[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b92defe4e8ee86996c16417ad8c804cb4395fddd",
"status": "affected",
"version": "1555d83ddbb7204ef60c58aee6ca3bbef2c5e99f",
"versionType": "git"
},
{
"lessThan": "0fb37ce6c01e17839e26d03222f0b44e6a3ed2b9",
"status": "affected",
"version": "68d4274034e618b7f190dc9fbfc4f3436a7430f4",
"versionType": "git"
},
{
"lessThan": "6e1d8f1332076a002e6d910d255aa5903d341c56",
"status": "affected",
"version": "4e5e6b5d9d1334d3490326b6922a2daaf56a867f",
"versionType": "git"
},
{
"lessThan": "65ecebc9ac09427b2c65f271cd5e5bd536c3fe38",
"status": "affected",
"version": "4e5e6b5d9d1334d3490326b6922a2daaf56a867f",
"versionType": "git"
},
{
"lessThan": "7c4bced3caa749ce468b0c5de711c98476b23a52",
"status": "affected",
"version": "4e5e6b5d9d1334d3490326b6922a2daaf56a867f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix out-of-bounds when setting channels on remove\n\nIf we set channels greater during iavf_remove(), and waiting reset done\nwould be timeout, then returned with error but changed num_active_queues\ndirectly, that will lead to OOB like the following logs. Because the\nnum_active_queues is greater than tx/rx_rings[] allocated actually.\n\nReproducer:\n\n [root@host ~]# cat repro.sh\n #!/bin/bash\n\n pf_dbsf=\"0000:41:00.0\"\n vf0_dbsf=\"0000:41:02.0\"\n g_pids=()\n\n function do_set_numvf()\n {\n echo 2 \u003e/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n echo 0 \u003e/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n }\n\n function do_set_channel()\n {\n local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)\n [ -z \"$nic\" ] \u0026\u0026 { sleep $((RANDOM%3)) ; return 1; }\n ifconfig $nic 192.168.18.5 netmask 255.255.255.0\n ifconfig $nic up\n ethtool -L $nic combined 1\n ethtool -L $nic combined 4\n sleep $((RANDOM%3))\n }\n\n function on_exit()\n {\n local pid\n for pid in \"${g_pids[@]}\"; do\n kill -0 \"$pid\" \u0026\u003e/dev/null \u0026\u0026 kill \"$pid\" \u0026\u003e/dev/null\n done\n g_pids=()\n }\n\n trap \"on_exit; exit\" EXIT\n\n while :; do do_set_numvf ; done \u0026\n g_pids+=($!)\n while :; do do_set_channel ; done \u0026\n g_pids+=($!)\n\n wait\n\nResult:\n\n[ 3506.152887] iavf 0000:41:02.0: Removing device\n[ 3510.400799] ==================================================================\n[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536\n[ 3510.400823]\n[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1\n[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021\n[ 3510.400835] Call Trace:\n[ 3510.400851] dump_stack+0x71/0xab\n[ 3510.400860] print_address_description+0x6b/0x290\n[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400868] kasan_report+0x14a/0x2b0\n[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf]\n[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf]\n[ 3510.400891] ? wait_woken+0x1d0/0x1d0\n[ 3510.400895] ? notifier_call_chain+0xc1/0x130\n[ 3510.400903] pci_device_remove+0xa8/0x1f0\n[ 3510.400910] device_release_driver_internal+0x1c6/0x460\n[ 3510.400916] pci_stop_bus_device+0x101/0x150\n[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20\n[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420\n[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10\n[ 3510.400929] ? pci_get_subsys+0x90/0x90\n[ 3510.400932] sriov_disable+0xed/0x3e0\n[ 3510.400936] ? bus_find_device+0x12d/0x1a0\n[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e]\n[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e]\n[ 3510.400968] ? pci_get_device+0x7c/0x90\n[ 3510.400970] ? pci_get_subsys+0x90/0x90\n[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210\n[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10\n[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]\n[ 3510.401001] sriov_numvfs_store+0x214/0x290\n[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30\n[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10\n[ 3510.401011] ? __check_object_size+0x15a/0x350\n[ 3510.401018] kernfs_fop_write+0x280/0x3f0\n[ 3510.401022] vfs_write+0x145/0x440\n[ 3510.401025] ksys_write+0xab/0x160\n[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0\n[ 3510.401031] ? fput_many+0x1a/0x120\n[ 3510.401032] ? filp_close+0xf0/0x130\n[ 3510.401038] do_syscall_64+0xa0/0x370\n[ 3510.401041] ? page_fault+0x8/0x30\n[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 3510.401073] RIP: 0033:0x7f3a9bb842c0\n[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:19.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b92defe4e8ee86996c16417ad8c804cb4395fddd"
},
{
"url": "https://git.kernel.org/stable/c/0fb37ce6c01e17839e26d03222f0b44e6a3ed2b9"
},
{
"url": "https://git.kernel.org/stable/c/6e1d8f1332076a002e6d910d255aa5903d341c56"
},
{
"url": "https://git.kernel.org/stable/c/65ecebc9ac09427b2c65f271cd5e5bd536c3fe38"
},
{
"url": "https://git.kernel.org/stable/c/7c4bced3caa749ce468b0c5de711c98476b23a52"
}
],
"title": "iavf: Fix out-of-bounds when setting channels on remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53659",
"datePublished": "2025-10-07T15:21:19.619Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:19.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50548 (GCVE-0-2022-50548)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: hi846: Fix memory leak in hi846_parse_dt()
If any of the checks related to the supported link frequencies fail, then
the V4L2 fwnode resources don't get released before returning, which leads
to a memleak. Fix this by properly freeing the V4L2 fwnode data in a
designated label.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/hi846.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a05a9ae9ef3fffc9bc7ec2bc432a249a01155f6e",
"status": "affected",
"version": "e8c0882685f9152f0d729664a12bcbe749cb7736",
"versionType": "git"
},
{
"lessThan": "4368730678412a8fa71960dbda81e122dafa70f7",
"status": "affected",
"version": "e8c0882685f9152f0d729664a12bcbe749cb7736",
"versionType": "git"
},
{
"lessThan": "80113026d415e27483669db7a88b548d1ec3d3d1",
"status": "affected",
"version": "e8c0882685f9152f0d729664a12bcbe749cb7736",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/hi846.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: hi846: Fix memory leak in hi846_parse_dt()\n\nIf any of the checks related to the supported link frequencies fail, then\nthe V4L2 fwnode resources don\u0027t get released before returning, which leads\nto a memleak. Fix this by properly freeing the V4L2 fwnode data in a\ndesignated label."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:11.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a05a9ae9ef3fffc9bc7ec2bc432a249a01155f6e"
},
{
"url": "https://git.kernel.org/stable/c/4368730678412a8fa71960dbda81e122dafa70f7"
},
{
"url": "https://git.kernel.org/stable/c/80113026d415e27483669db7a88b548d1ec3d3d1"
}
],
"title": "media: i2c: hi846: Fix memory leak in hi846_parse_dt()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50548",
"datePublished": "2025-10-07T15:21:11.318Z",
"dateReserved": "2025-10-07T15:15:38.668Z",
"dateUpdated": "2025-10-07T15:21:11.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50519 (GCVE-0-2022-50519)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure
If creation or finalization of a checkpoint fails due to anomalies in the
checkpoint metadata on disk, a kernel warning is generated.
This patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted
with panic_on_warn, does not panic. A nilfs_error is appropriate here to
handle the abnormal filesystem condition.
This also replaces the detected error codes with an I/O error so that
neither of the internal error codes is returned to callers.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b63026b5e13040cd5afa11769dd0d9e1504b031a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae16440c44ae2acda6d72aff9d74eccf8967dae5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf98be80cbe3b4e6c86c36ed00457389aca3eb15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "259c0f68168ac6a598db3486597b10e74d625db0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a18fdc5ae8e6d7ac33c6ee0a2e5f9f1414ef412",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c0c3d3d3ea41cb5228ee90568bb953f9a56c3227",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "090fcfb6edeb9367a915b2749e2bd1f8b48d8898",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5c0776b5bc31de7cd28afb558fae37a20f33602e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "723ac751208f6d6540191689cfbf6c77135a7a1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.218",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure\n\nIf creation or finalization of a checkpoint fails due to anomalies in the\ncheckpoint metadata on disk, a kernel warning is generated.\n\nThis patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted\nwith panic_on_warn, does not panic. A nilfs_error is appropriate here to\nhandle the abnormal filesystem condition.\n\nThis also replaces the detected error codes with an I/O error so that\nneither of the internal error codes is returned to callers."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:13.844Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b63026b5e13040cd5afa11769dd0d9e1504b031a"
},
{
"url": "https://git.kernel.org/stable/c/ae16440c44ae2acda6d72aff9d74eccf8967dae5"
},
{
"url": "https://git.kernel.org/stable/c/bf98be80cbe3b4e6c86c36ed00457389aca3eb15"
},
{
"url": "https://git.kernel.org/stable/c/259c0f68168ac6a598db3486597b10e74d625db0"
},
{
"url": "https://git.kernel.org/stable/c/8a18fdc5ae8e6d7ac33c6ee0a2e5f9f1414ef412"
},
{
"url": "https://git.kernel.org/stable/c/c0c3d3d3ea41cb5228ee90568bb953f9a56c3227"
},
{
"url": "https://git.kernel.org/stable/c/090fcfb6edeb9367a915b2749e2bd1f8b48d8898"
},
{
"url": "https://git.kernel.org/stable/c/5c0776b5bc31de7cd28afb558fae37a20f33602e"
},
{
"url": "https://git.kernel.org/stable/c/723ac751208f6d6540191689cfbf6c77135a7a1b"
}
],
"title": "nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50519",
"datePublished": "2025-10-07T15:19:13.844Z",
"dateReserved": "2025-10-07T15:15:38.662Z",
"dateUpdated": "2025-10-07T15:19:13.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53683 (GCVE-0-2023-53683)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
syzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for
crafted filesystem image can contain bogus length. There conditions are
not kernel bugs that can justify kernel to panic.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f62f5ee63052324ad94dd05091743d9e09f72070 Version: ab778439c6fa0071698b62a351f79d319fd72c53 Version: 781fa141414ef18b52f15037497155f80bf0ecab Version: 1f881d9201f6e0a917004a14329f9ff3d0bfa1e5 Version: 48d9e2e6de01ed35e965eb549758a837c07b601d Version: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb Version: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb Version: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61af77acd039ffd221bf7adf0dc95d0a4d377505",
"status": "affected",
"version": "f62f5ee63052324ad94dd05091743d9e09f72070",
"versionType": "git"
},
{
"lessThan": "c074913b12db3632b11588b31bbfb0fa80a0a1c9",
"status": "affected",
"version": "ab778439c6fa0071698b62a351f79d319fd72c53",
"versionType": "git"
},
{
"lessThan": "a75d9211a07fed513c08c5d4861c4a36ac6a74fe",
"status": "affected",
"version": "781fa141414ef18b52f15037497155f80bf0ecab",
"versionType": "git"
},
{
"lessThan": "c8daee66585897a4c90d937c91e762100237bff9",
"status": "affected",
"version": "1f881d9201f6e0a917004a14329f9ff3d0bfa1e5",
"versionType": "git"
},
{
"lessThan": "37cab61a52d6f42b2d961c51bcf369f09e235fb5",
"status": "affected",
"version": "48d9e2e6de01ed35e965eb549758a837c07b601d",
"versionType": "git"
},
{
"lessThan": "48960a503fcec76d3f72347b7e679dda08ca43be",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
},
{
"lessThan": "3a9d68d84b2e41ba3f2a727b36f035fad6800492",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
},
{
"lessThan": "81b21c0f0138ff5a499eafc3eb0578ad2a99622c",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()\n\nsyzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for\ncrafted filesystem image can contain bogus length. There conditions are\nnot kernel bugs that can justify kernel to panic."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:43.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61af77acd039ffd221bf7adf0dc95d0a4d377505"
},
{
"url": "https://git.kernel.org/stable/c/c074913b12db3632b11588b31bbfb0fa80a0a1c9"
},
{
"url": "https://git.kernel.org/stable/c/a75d9211a07fed513c08c5d4861c4a36ac6a74fe"
},
{
"url": "https://git.kernel.org/stable/c/c8daee66585897a4c90d937c91e762100237bff9"
},
{
"url": "https://git.kernel.org/stable/c/37cab61a52d6f42b2d961c51bcf369f09e235fb5"
},
{
"url": "https://git.kernel.org/stable/c/48960a503fcec76d3f72347b7e679dda08ca43be"
},
{
"url": "https://git.kernel.org/stable/c/3a9d68d84b2e41ba3f2a727b36f035fad6800492"
},
{
"url": "https://git.kernel.org/stable/c/81b21c0f0138ff5a499eafc3eb0578ad2a99622c"
}
],
"title": "fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53683",
"datePublished": "2025-10-07T15:21:36.715Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-29T10:50:43.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53628 (GCVE-0-2023-53628)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: drop gfx_v11_0_cp_ecc_error_irq_funcs
The gfx.cp_ecc_error_irq is retired in gfx11. In gfx_v11_0_hw_fini still
use amdgpu_irq_put to disable this interrupt, which caused the call trace
in this function.
[ 102.873958] Call Trace:
[ 102.873959] <TASK>
[ 102.873961] gfx_v11_0_hw_fini+0x23/0x1e0 [amdgpu]
[ 102.874019] gfx_v11_0_suspend+0xe/0x20 [amdgpu]
[ 102.874072] amdgpu_device_ip_suspend_phase2+0x240/0x460 [amdgpu]
[ 102.874122] amdgpu_device_ip_suspend+0x3d/0x80 [amdgpu]
[ 102.874172] amdgpu_device_pre_asic_reset+0xd9/0x490 [amdgpu]
[ 102.874223] amdgpu_device_gpu_recover.cold+0x548/0xce6 [amdgpu]
[ 102.874321] amdgpu_debugfs_reset_work+0x4c/0x70 [amdgpu]
[ 102.874375] process_one_work+0x21f/0x3f0
[ 102.874377] worker_thread+0x200/0x3e0
[ 102.874378] ? process_one_work+0x3f0/0x3f0
[ 102.874379] kthread+0xfd/0x130
[ 102.874380] ? kthread_complete_and_exit+0x20/0x20
[ 102.874381] ret_from_fork+0x22/0x30
v2:
- Handle umc and gfx ras cases in separated patch
- Retired the gfx_v11_0_cp_ecc_error_irq_funcs in gfx11
v3:
- Improve the subject and code comments
- Add judgment on gfx11 in the function of amdgpu_gfx_ras_late_init
v4:
- Drop the define of CP_ME1_PIPE_INST_ADDR_INTERVAL and
SET_ECC_ME_PIPE_STATE which using in gfx_v11_0_set_cp_ecc_error_state
- Check cp_ecc_error_irq.funcs rather than ip version for a more
sustainable life
v5:
- Simplify judgment conditions
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31b07aec4a2bdcab00770ea3a18efe49734ce153",
"status": "affected",
"version": "790bef488b4ac4ceb52f5cda2a67c0d9bbb56d8c",
"versionType": "git"
},
{
"lessThan": "720b47229a5b24061d1c2e29ddb6043a59178d79",
"status": "affected",
"version": "790bef488b4ac4ceb52f5cda2a67c0d9bbb56d8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: drop gfx_v11_0_cp_ecc_error_irq_funcs\n\nThe gfx.cp_ecc_error_irq is retired in gfx11. In gfx_v11_0_hw_fini still\nuse amdgpu_irq_put to disable this interrupt, which caused the call trace\nin this function.\n\n[ 102.873958] Call Trace:\n[ 102.873959] \u003cTASK\u003e\n[ 102.873961] gfx_v11_0_hw_fini+0x23/0x1e0 [amdgpu]\n[ 102.874019] gfx_v11_0_suspend+0xe/0x20 [amdgpu]\n[ 102.874072] amdgpu_device_ip_suspend_phase2+0x240/0x460 [amdgpu]\n[ 102.874122] amdgpu_device_ip_suspend+0x3d/0x80 [amdgpu]\n[ 102.874172] amdgpu_device_pre_asic_reset+0xd9/0x490 [amdgpu]\n[ 102.874223] amdgpu_device_gpu_recover.cold+0x548/0xce6 [amdgpu]\n[ 102.874321] amdgpu_debugfs_reset_work+0x4c/0x70 [amdgpu]\n[ 102.874375] process_one_work+0x21f/0x3f0\n[ 102.874377] worker_thread+0x200/0x3e0\n[ 102.874378] ? process_one_work+0x3f0/0x3f0\n[ 102.874379] kthread+0xfd/0x130\n[ 102.874380] ? kthread_complete_and_exit+0x20/0x20\n[ 102.874381] ret_from_fork+0x22/0x30\n\nv2:\n- Handle umc and gfx ras cases in separated patch\n- Retired the gfx_v11_0_cp_ecc_error_irq_funcs in gfx11\n\nv3:\n- Improve the subject and code comments\n- Add judgment on gfx11 in the function of amdgpu_gfx_ras_late_init\n\nv4:\n- Drop the define of CP_ME1_PIPE_INST_ADDR_INTERVAL and\nSET_ECC_ME_PIPE_STATE which using in gfx_v11_0_set_cp_ecc_error_state\n- Check cp_ecc_error_irq.funcs rather than ip version for a more\nsustainable life\n\nv5:\n- Simplify judgment conditions"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:38.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31b07aec4a2bdcab00770ea3a18efe49734ce153"
},
{
"url": "https://git.kernel.org/stable/c/720b47229a5b24061d1c2e29ddb6043a59178d79"
}
],
"title": "drm/amdgpu: drop gfx_v11_0_cp_ecc_error_irq_funcs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53628",
"datePublished": "2025-10-07T15:19:32.272Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-29T10:50:38.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50512 (GCVE-0-2022-50512)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix potential memory leak in ext4_fc_record_regions()
As krealloc may return NULL, in this case 'state->fc_regions' may not be
freed by krealloc, but 'state->fc_regions' already set NULL. Then will
lead to 'state->fc_regions' memory leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cfb769d60a2a57eb3566765428b6131cd16dcfe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "417b0455a0b6d0f60a2930592731d1f8340e24be",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4058b869e6c5e517c79e30532a350d0f3115c3e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "518566e71ad86b7c2f1bf6d9caee9588bb7ac158",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7069d105c1f15c442b68af43f7fde784f3126739",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential memory leak in ext4_fc_record_regions()\n\nAs krealloc may return NULL, in this case \u0027state-\u003efc_regions\u0027 may not be\nfreed by krealloc, but \u0027state-\u003efc_regions\u0027 already set NULL. Then will\nlead to \u0027state-\u003efc_regions\u0027 memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:08.854Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cfb769d60a2a57eb3566765428b6131cd16dcfe"
},
{
"url": "https://git.kernel.org/stable/c/417b0455a0b6d0f60a2930592731d1f8340e24be"
},
{
"url": "https://git.kernel.org/stable/c/a4058b869e6c5e517c79e30532a350d0f3115c3e"
},
{
"url": "https://git.kernel.org/stable/c/518566e71ad86b7c2f1bf6d9caee9588bb7ac158"
},
{
"url": "https://git.kernel.org/stable/c/7069d105c1f15c442b68af43f7fde784f3126739"
}
],
"title": "ext4: fix potential memory leak in ext4_fc_record_regions()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50512",
"datePublished": "2025-10-07T15:19:08.854Z",
"dateReserved": "2025-10-07T15:14:58.491Z",
"dateUpdated": "2025-10-07T15:19:08.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53684 (GCVE-0-2023-53684)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Zero padding when dumping algos and encap
When copying data to user-space we should ensure that only valid
data is copied over. Padding in structures may be filled with
random (possibly sensitve) data and should never be given directly
to user-space.
This patch fixes the copying of xfrm algorithms and the encap
template in xfrm_user so that padding is zeroed.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0725daaa9a879388ed312110f62dbd5ea2d75f8f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5218af4ad5d8948faac19f71583bcd786c3852df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a351e26cc010d6991fbbd5701ac16581372e26f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8222d5910dae08213b6d9d4bc9a7f8502855e624",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Zero padding when dumping algos and encap\n\nWhen copying data to user-space we should ensure that only valid\ndata is copied over. Padding in structures may be filled with\nrandom (possibly sensitve) data and should never be given directly\nto user-space.\n\nThis patch fixes the copying of xfrm algorithms and the encap\ntemplate in xfrm_user so that padding is zeroed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:37.413Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0725daaa9a879388ed312110f62dbd5ea2d75f8f"
},
{
"url": "https://git.kernel.org/stable/c/5218af4ad5d8948faac19f71583bcd786c3852df"
},
{
"url": "https://git.kernel.org/stable/c/1a351e26cc010d6991fbbd5701ac16581372e26f"
},
{
"url": "https://git.kernel.org/stable/c/8222d5910dae08213b6d9d4bc9a7f8502855e624"
}
],
"title": "xfrm: Zero padding when dumping algos and encap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53684",
"datePublished": "2025-10-07T15:21:37.413Z",
"dateReserved": "2025-10-07T15:16:59.665Z",
"dateUpdated": "2025-10-07T15:21:37.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53621 (GCVE-0-2023-53621)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memcontrol: ensure memcg acquired by id is properly set up
In the eviction recency check, we attempt to retrieve the memcg to which
the folio belonged when it was evicted, by the memcg id stored in the
shadow entry. However, there is a chance that the retrieved memcg is not
the original memcg that has been killed, but a new one which happens to
have the same id.
This is a somewhat unfortunate, but acceptable and rare inaccuracy in the
heuristics. However, if we retrieve this new memcg between its allocation
and when it is properly attached to the memcg hierarchy, we could run into
the following NULL pointer exception during the memcg hierarchy traversal
done in mem_cgroup_get_nr_swap_pages():
[ 155757.793456] BUG: kernel NULL pointer dereference, address: 00000000000000c0
[ 155757.807568] #PF: supervisor read access in kernel mode
[ 155757.818024] #PF: error_code(0x0000) - not-present page
[ 155757.828482] PGD 401f77067 P4D 401f77067 PUD 401f76067 PMD 0
[ 155757.839985] Oops: 0000 [#1] SMP
[ 155757.887870] RIP: 0010:mem_cgroup_get_nr_swap_pages+0x3d/0xb0
[ 155757.899377] Code: 29 19 4a 02 48 39 f9 74 63 48 8b 97 c0 00 00 00 48 8b b7 58 02 00 00 48 2b b7 c0 01 00 00 48 39 f0 48 0f 4d c6 48 39 d1 74 42 <48> 8b b2 c0 00 00 00 48 8b ba 58 02 00 00 48 2b ba c0 01 00 00 48
[ 155757.937125] RSP: 0018:ffffc9002ecdfbc8 EFLAGS: 00010286
[ 155757.947755] RAX: 00000000003a3b1c RBX: 000007ffffffffff RCX: ffff888280183000
[ 155757.962202] RDX: 0000000000000000 RSI: 0007ffffffffffff RDI: ffff888bbc2d1000
[ 155757.976648] RBP: 0000000000000001 R08: 000000000000000b R09: ffff888ad9cedba0
[ 155757.991094] R10: ffffea0039c07900 R11: 0000000000000010 R12: ffff888b23a7b000
[ 155758.005540] R13: 0000000000000000 R14: ffff888bbc2d1000 R15: 000007ffffc71354
[ 155758.019991] FS: 00007f6234c68640(0000) GS:ffff88903f9c0000(0000) knlGS:0000000000000000
[ 155758.036356] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 155758.048023] CR2: 00000000000000c0 CR3: 0000000a83eb8004 CR4: 00000000007706e0
[ 155758.062473] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 155758.076924] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 155758.091376] PKRU: 55555554
[ 155758.096957] Call Trace:
[ 155758.102016] <TASK>
[ 155758.106502] ? __die+0x78/0xc0
[ 155758.112793] ? page_fault_oops+0x286/0x380
[ 155758.121175] ? exc_page_fault+0x5d/0x110
[ 155758.129209] ? asm_exc_page_fault+0x22/0x30
[ 155758.137763] ? mem_cgroup_get_nr_swap_pages+0x3d/0xb0
[ 155758.148060] workingset_test_recent+0xda/0x1b0
[ 155758.157133] workingset_refault+0xca/0x1e0
[ 155758.165508] filemap_add_folio+0x4d/0x70
[ 155758.173538] page_cache_ra_unbounded+0xed/0x190
[ 155758.182919] page_cache_sync_ra+0xd6/0x1e0
[ 155758.191738] filemap_read+0x68d/0xdf0
[ 155758.199495] ? mlx5e_napi_poll+0x123/0x940
[ 155758.207981] ? __napi_schedule+0x55/0x90
[ 155758.216095] __x64_sys_pread64+0x1d6/0x2c0
[ 155758.224601] do_syscall_64+0x3d/0x80
[ 155758.232058] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 155758.242473] RIP: 0033:0x7f62c29153b5
[ 155758.249938] Code: e8 48 89 75 f0 89 7d f8 48 89 4d e0 e8 b4 e6 f7 ff 41 89 c0 4c 8b 55 e0 48 8b 55 e8 48 8b 75 f0 8b 7d f8 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 45 f8 e8 e7 e6 f7 ff 48 8b
[ 155758.288005] RSP: 002b:00007f6234c5ffd0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011
[ 155758.303474] RAX: ffffffffffffffda RBX: 00007f628c4e70c0 RCX: 00007f62c29153b5
[ 155758.318075] RDX: 000000000003c041 RSI: 00007f61d2986000 RDI: 0000000000000076
[ 155758.332678] RBP: 00007f6234c5fff0 R08: 0000000000000000 R09: 0000000064d5230c
[ 155758.347452] R10: 000000000027d450 R11: 0000000000000293 R12: 000000000003c041
[ 155758.362044] R13: 00007f61d2986000 R14: 00007f629e11b060 R15: 000000000027d450
[ 155758.376661] </TASK>
This patch fixes the issue by moving the memcg's id publication from the
alloc stage to
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memcontrol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9d30c38ee859d833a51131b5b4b864c7a6219d0",
"status": "affected",
"version": "f78dfc7b77d5c3527d0f895bef693f711802de5a",
"versionType": "git"
},
{
"lessThan": "6f0df8e16eb543167f2929cb756e695709a3551d",
"status": "affected",
"version": "f78dfc7b77d5c3527d0f895bef693f711802de5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memcontrol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcontrol: ensure memcg acquired by id is properly set up\n\nIn the eviction recency check, we attempt to retrieve the memcg to which\nthe folio belonged when it was evicted, by the memcg id stored in the\nshadow entry. However, there is a chance that the retrieved memcg is not\nthe original memcg that has been killed, but a new one which happens to\nhave the same id.\n\nThis is a somewhat unfortunate, but acceptable and rare inaccuracy in the\nheuristics. However, if we retrieve this new memcg between its allocation\nand when it is properly attached to the memcg hierarchy, we could run into\nthe following NULL pointer exception during the memcg hierarchy traversal\ndone in mem_cgroup_get_nr_swap_pages():\n\n[ 155757.793456] BUG: kernel NULL pointer dereference, address: 00000000000000c0\n[ 155757.807568] #PF: supervisor read access in kernel mode\n[ 155757.818024] #PF: error_code(0x0000) - not-present page\n[ 155757.828482] PGD 401f77067 P4D 401f77067 PUD 401f76067 PMD 0\n[ 155757.839985] Oops: 0000 [#1] SMP\n[ 155757.887870] RIP: 0010:mem_cgroup_get_nr_swap_pages+0x3d/0xb0\n[ 155757.899377] Code: 29 19 4a 02 48 39 f9 74 63 48 8b 97 c0 00 00 00 48 8b b7 58 02 00 00 48 2b b7 c0 01 00 00 48 39 f0 48 0f 4d c6 48 39 d1 74 42 \u003c48\u003e 8b b2 c0 00 00 00 48 8b ba 58 02 00 00 48 2b ba c0 01 00 00 48\n[ 155757.937125] RSP: 0018:ffffc9002ecdfbc8 EFLAGS: 00010286\n[ 155757.947755] RAX: 00000000003a3b1c RBX: 000007ffffffffff RCX: ffff888280183000\n[ 155757.962202] RDX: 0000000000000000 RSI: 0007ffffffffffff RDI: ffff888bbc2d1000\n[ 155757.976648] RBP: 0000000000000001 R08: 000000000000000b R09: ffff888ad9cedba0\n[ 155757.991094] R10: ffffea0039c07900 R11: 0000000000000010 R12: ffff888b23a7b000\n[ 155758.005540] R13: 0000000000000000 R14: ffff888bbc2d1000 R15: 000007ffffc71354\n[ 155758.019991] FS: 00007f6234c68640(0000) GS:ffff88903f9c0000(0000) knlGS:0000000000000000\n[ 155758.036356] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 155758.048023] CR2: 00000000000000c0 CR3: 0000000a83eb8004 CR4: 00000000007706e0\n[ 155758.062473] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 155758.076924] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 155758.091376] PKRU: 55555554\n[ 155758.096957] Call Trace:\n[ 155758.102016] \u003cTASK\u003e\n[ 155758.106502] ? __die+0x78/0xc0\n[ 155758.112793] ? page_fault_oops+0x286/0x380\n[ 155758.121175] ? exc_page_fault+0x5d/0x110\n[ 155758.129209] ? asm_exc_page_fault+0x22/0x30\n[ 155758.137763] ? mem_cgroup_get_nr_swap_pages+0x3d/0xb0\n[ 155758.148060] workingset_test_recent+0xda/0x1b0\n[ 155758.157133] workingset_refault+0xca/0x1e0\n[ 155758.165508] filemap_add_folio+0x4d/0x70\n[ 155758.173538] page_cache_ra_unbounded+0xed/0x190\n[ 155758.182919] page_cache_sync_ra+0xd6/0x1e0\n[ 155758.191738] filemap_read+0x68d/0xdf0\n[ 155758.199495] ? mlx5e_napi_poll+0x123/0x940\n[ 155758.207981] ? __napi_schedule+0x55/0x90\n[ 155758.216095] __x64_sys_pread64+0x1d6/0x2c0\n[ 155758.224601] do_syscall_64+0x3d/0x80\n[ 155758.232058] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 155758.242473] RIP: 0033:0x7f62c29153b5\n[ 155758.249938] Code: e8 48 89 75 f0 89 7d f8 48 89 4d e0 e8 b4 e6 f7 ff 41 89 c0 4c 8b 55 e0 48 8b 55 e8 48 8b 75 f0 8b 7d f8 b8 11 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 33 44 89 c7 48 89 45 f8 e8 e7 e6 f7 ff 48 8b\n[ 155758.288005] RSP: 002b:00007f6234c5ffd0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011\n[ 155758.303474] RAX: ffffffffffffffda RBX: 00007f628c4e70c0 RCX: 00007f62c29153b5\n[ 155758.318075] RDX: 000000000003c041 RSI: 00007f61d2986000 RDI: 0000000000000076\n[ 155758.332678] RBP: 00007f6234c5fff0 R08: 0000000000000000 R09: 0000000064d5230c\n[ 155758.347452] R10: 000000000027d450 R11: 0000000000000293 R12: 000000000003c041\n[ 155758.362044] R13: 00007f61d2986000 R14: 00007f629e11b060 R15: 000000000027d450\n[ 155758.376661] \u003c/TASK\u003e\n\nThis patch fixes the issue by moving the memcg\u0027s id publication from the\nalloc stage to \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:27.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9d30c38ee859d833a51131b5b4b864c7a6219d0"
},
{
"url": "https://git.kernel.org/stable/c/6f0df8e16eb543167f2929cb756e695709a3551d"
}
],
"title": "memcontrol: ensure memcg acquired by id is properly set up",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53621",
"datePublished": "2025-10-07T15:19:27.372Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:27.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50529 (GCVE-0-2022-50529)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
test_firmware: fix memory leak in test_firmware_init()
When misc_register() failed in test_firmware_init(), the memory pointed
by test_fw_config->name is not released. The memory leak information is
as follows:
unreferenced object 0xffff88810a34cb00 (size 32):
comm "insmod", pid 7952, jiffies 4294948236 (age 49.060s)
hex dump (first 32 bytes):
74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi
6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............
backtrace:
[<ffffffff81b21fcb>] __kmalloc_node_track_caller+0x4b/0xc0
[<ffffffff81affb96>] kstrndup+0x46/0xc0
[<ffffffffa0403a49>] __test_firmware_config_init+0x29/0x380 [test_firmware]
[<ffffffffa040f068>] 0xffffffffa040f068
[<ffffffff81002c41>] do_one_initcall+0x141/0x780
[<ffffffff816a72c3>] do_init_module+0x1c3/0x630
[<ffffffff816adb9e>] load_module+0x623e/0x76a0
[<ffffffff816af471>] __do_sys_finit_module+0x181/0x240
[<ffffffff89978f99>] do_syscall_64+0x39/0xb0
[<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/test_firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed5cbafaf7ce8b86f19998c00eb020c8d49b017f",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "04dd47a2e169f2d4489636afa07ff0469aab49ab",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "628de998a3abfffb3f9677d2fb39a1d5dcb32fdb",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "0b5a89e8bce1ea43687742b4de8e216189ff94ac",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "357379d504c0c8b0834e206ad8c49e4b3c98ed4d",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "8d8c1d6a430f0aadb80036e2b1bc0a05f9fad247",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "6dd5fbd243f19f087dc79481acb7d69fb57fea2c",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/test_firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntest_firmware: fix memory leak in test_firmware_init()\n\nWhen misc_register() failed in test_firmware_init(), the memory pointed\nby test_fw_config-\u003ename is not released. The memory leak information is\nas follows:\nunreferenced object 0xffff88810a34cb00 (size 32):\n comm \"insmod\", pid 7952, jiffies 4294948236 (age 49.060s)\n hex dump (first 32 bytes):\n 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi\n 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............\n backtrace:\n [\u003cffffffff81b21fcb\u003e] __kmalloc_node_track_caller+0x4b/0xc0\n [\u003cffffffff81affb96\u003e] kstrndup+0x46/0xc0\n [\u003cffffffffa0403a49\u003e] __test_firmware_config_init+0x29/0x380 [test_firmware]\n [\u003cffffffffa040f068\u003e] 0xffffffffa040f068\n [\u003cffffffff81002c41\u003e] do_one_initcall+0x141/0x780\n [\u003cffffffff816a72c3\u003e] do_init_module+0x1c3/0x630\n [\u003cffffffff816adb9e\u003e] load_module+0x623e/0x76a0\n [\u003cffffffff816af471\u003e] __do_sys_finit_module+0x181/0x240\n [\u003cffffffff89978f99\u003e] do_syscall_64+0x39/0xb0\n [\u003cffffffff89a0008b\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:20.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed5cbafaf7ce8b86f19998c00eb020c8d49b017f"
},
{
"url": "https://git.kernel.org/stable/c/04dd47a2e169f2d4489636afa07ff0469aab49ab"
},
{
"url": "https://git.kernel.org/stable/c/628de998a3abfffb3f9677d2fb39a1d5dcb32fdb"
},
{
"url": "https://git.kernel.org/stable/c/0b5a89e8bce1ea43687742b4de8e216189ff94ac"
},
{
"url": "https://git.kernel.org/stable/c/357379d504c0c8b0834e206ad8c49e4b3c98ed4d"
},
{
"url": "https://git.kernel.org/stable/c/8d8c1d6a430f0aadb80036e2b1bc0a05f9fad247"
},
{
"url": "https://git.kernel.org/stable/c/6dd5fbd243f19f087dc79481acb7d69fb57fea2c"
},
{
"url": "https://git.kernel.org/stable/c/7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e"
}
],
"title": "test_firmware: fix memory leak in test_firmware_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50529",
"datePublished": "2025-10-07T15:19:20.581Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:20.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50555 (GCVE-0-2022-50555)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix a null-ptr-deref in tipc_topsrv_accept
syzbot found a crash in tipc_topsrv_accept:
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Workqueue: tipc_rcv tipc_topsrv_accept
RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487
Call Trace:
<TASK>
tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460
process_one_work+0x991/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
It was caused by srv->listener that might be set to null by
tipc_topsrv_stop() in net .exit whereas it's still used in
tipc_topsrv_accept() worker.
srv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add
a check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to
avoid the null-ptr-deref. To ensure the lsock is not released during the
tipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop()
where it's waiting until the tipc_topsrv_accept worker to be done.
Note that sk_callback_lock is used to protect sk->sk_user_data instead of
srv->listener, and it should check srv in tipc_topsrv_listener_data_ready()
instead. This also ensures that no more tipc_topsrv_accept worker will be
started after tipc_conn_close() is called in tipc_topsrv_stop() where it
sets sk->sk_user_data to null.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 Version: 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 Version: 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 Version: 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 Version: 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 Version: 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/topsrv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce69bdac2310152bb70845024d5d704c52aabfc3",
"status": "affected",
"version": "0ef897be12b8b4cf297b6016e79ec97ec90f2cf6",
"versionType": "git"
},
{
"lessThan": "24b129aed8730e48f47d852d58d76825ab6f407c",
"status": "affected",
"version": "0ef897be12b8b4cf297b6016e79ec97ec90f2cf6",
"versionType": "git"
},
{
"lessThan": "32a3d4660b34ce49ac0162338ebe362098e2f5df",
"status": "affected",
"version": "0ef897be12b8b4cf297b6016e79ec97ec90f2cf6",
"versionType": "git"
},
{
"lessThan": "7a939503fc32bff4ed60800b73ff7fbb4aea2142",
"status": "affected",
"version": "0ef897be12b8b4cf297b6016e79ec97ec90f2cf6",
"versionType": "git"
},
{
"lessThan": "cedb41664e27b2cae7e21487f1bee22dcd84037d",
"status": "affected",
"version": "0ef897be12b8b4cf297b6016e79ec97ec90f2cf6",
"versionType": "git"
},
{
"lessThan": "82cb4e4612c633a9ce320e1773114875604a3cce",
"status": "affected",
"version": "0ef897be12b8b4cf297b6016e79ec97ec90f2cf6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/topsrv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a null-ptr-deref in tipc_topsrv_accept\n\nsyzbot found a crash in tipc_topsrv_accept:\n\n KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n Workqueue: tipc_rcv tipc_topsrv_accept\n RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487\n Call Trace:\n \u003cTASK\u003e\n tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460\n process_one_work+0x991/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e4/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\nIt was caused by srv-\u003elistener that might be set to null by\ntipc_topsrv_stop() in net .exit whereas it\u0027s still used in\ntipc_topsrv_accept() worker.\n\nsrv-\u003elistener is protected by srv-\u003eidr_lock in tipc_topsrv_stop(), so add\na check for srv-\u003elistener under srv-\u003eidr_lock in tipc_topsrv_accept() to\navoid the null-ptr-deref. To ensure the lsock is not released during the\ntipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop()\nwhere it\u0027s waiting until the tipc_topsrv_accept worker to be done.\n\nNote that sk_callback_lock is used to protect sk-\u003esk_user_data instead of\nsrv-\u003elistener, and it should check srv in tipc_topsrv_listener_data_ready()\ninstead. This also ensures that no more tipc_topsrv_accept worker will be\nstarted after tipc_conn_close() is called in tipc_topsrv_stop() where it\nsets sk-\u003esk_user_data to null."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:16.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce69bdac2310152bb70845024d5d704c52aabfc3"
},
{
"url": "https://git.kernel.org/stable/c/24b129aed8730e48f47d852d58d76825ab6f407c"
},
{
"url": "https://git.kernel.org/stable/c/32a3d4660b34ce49ac0162338ebe362098e2f5df"
},
{
"url": "https://git.kernel.org/stable/c/7a939503fc32bff4ed60800b73ff7fbb4aea2142"
},
{
"url": "https://git.kernel.org/stable/c/cedb41664e27b2cae7e21487f1bee22dcd84037d"
},
{
"url": "https://git.kernel.org/stable/c/82cb4e4612c633a9ce320e1773114875604a3cce"
}
],
"title": "tipc: fix a null-ptr-deref in tipc_topsrv_accept",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50555",
"datePublished": "2025-10-07T15:21:16.179Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-10-07T15:21:16.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53678 (GCVE-0-2023-53678)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix system suspend without fbdev being initialized
If fbdev is not initialized for some reason - in practice on platforms
without display - suspending fbdev should be skipped during system
suspend, fix this up. While at it add an assert that suspending fbdev
only happens with the display present.
This fixes the following:
[ 91.227923] PM: suspend entry (s2idle)
[ 91.254598] Filesystems sync: 0.025 seconds
[ 91.270518] Freezing user space processes
[ 91.272266] Freezing user space processes completed (elapsed 0.001 seconds)
[ 91.272686] OOM killer disabled.
[ 91.272872] Freezing remaining freezable tasks
[ 91.274295] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
[ 91.659622] BUG: kernel NULL pointer dereference, address: 00000000000001c8
[ 91.659981] #PF: supervisor write access in kernel mode
[ 91.660252] #PF: error_code(0x0002) - not-present page
[ 91.660511] PGD 0 P4D 0
[ 91.660647] Oops: 0002 [#1] PREEMPT SMP NOPTI
[ 91.660875] CPU: 4 PID: 917 Comm: bash Not tainted 6.2.0-rc7+ #54
[ 91.661185] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20221117gitfff6d81270b5-9.fc37 unknown
[ 91.661680] RIP: 0010:mutex_lock+0x19/0x30
[ 91.661914] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 53 48 89 fb e8 62 d3 ff ff 31 c0 65 48 8b 14 25 00 15 03 00 <f0> 48 0f b1 13 75 06 5b c3 cc cc cc cc 48 89 df 5b eb b4 0f 1f 40
[ 91.662840] RSP: 0018:ffffa1e8011ffc08 EFLAGS: 00010246
[ 91.663087] RAX: 0000000000000000 RBX: 00000000000001c8 RCX: 0000000000000000
[ 91.663440] RDX: ffff8be455eb0000 RSI: 0000000000000001 RDI: 00000000000001c8
[ 91.663802] RBP: ffff8be459440000 R08: ffff8be459441f08 R09: ffffffff8e1432c0
[ 91.664167] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 91.664532] R13: 00000000000001c8 R14: 0000000000000000 R15: ffff8be442f4fb20
[ 91.664905] FS: 00007f28ffc16740(0000) GS:ffff8be4bb900000(0000) knlGS:0000000000000000
[ 91.665334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 91.665626] CR2: 00000000000001c8 CR3: 0000000114926006 CR4: 0000000000770ee0
[ 91.665988] PKRU: 55555554
[ 91.666131] Call Trace:
[ 91.666265] <TASK>
[ 91.666381] intel_fbdev_set_suspend+0x97/0x1b0 [i915]
[ 91.666738] i915_drm_suspend+0xb9/0x100 [i915]
[ 91.667029] pci_pm_suspend+0x78/0x170
[ 91.667234] ? __pfx_pci_pm_suspend+0x10/0x10
[ 91.667461] dpm_run_callback+0x47/0x150
[ 91.667673] __device_suspend+0x10a/0x4e0
[ 91.667880] dpm_suspend+0x134/0x270
[ 91.668069] dpm_suspend_start+0x79/0x80
[ 91.668272] suspend_devices_and_enter+0x11b/0x890
[ 91.668526] pm_suspend.cold+0x270/0x2fc
[ 91.668737] state_store+0x46/0x90
[ 91.668916] kernfs_fop_write_iter+0x11b/0x200
[ 91.669153] vfs_write+0x1e1/0x3a0
[ 91.669336] ksys_write+0x53/0xd0
[ 91.669510] do_syscall_64+0x58/0xc0
[ 91.669699] ? syscall_exit_to_user_mode_prepare+0x18e/0x1c0
[ 91.669980] ? syscall_exit_to_user_mode_prepare+0x18e/0x1c0
[ 91.670278] ? syscall_exit_to_user_mode+0x17/0x40
[ 91.670524] ? do_syscall_64+0x67/0xc0
[ 91.670717] ? __irq_exit_rcu+0x3d/0x140
[ 91.670931] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 91.671202] RIP: 0033:0x7f28ffd14284
v2: CC stable. (Jani)
References: https://gitlab.freedesktop.org/drm/intel/-/issues/8015
(cherry picked from commit 9542d708409a41449e99c9a464deb5e062c4bee2)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_fbdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27b5871abd5cc068c549fd23062c82e257fc0b9c",
"status": "affected",
"version": "f8cc091e05305231c8f747ca253a90ff0cea60b9",
"versionType": "git"
},
{
"lessThan": "8ed572d5a0f1509e691a75a0e3d3588050371f1e",
"status": "affected",
"version": "f8cc091e05305231c8f747ca253a90ff0cea60b9",
"versionType": "git"
},
{
"lessThan": "8038510b1fe443ffbc0e356db5f47cbb8678a594",
"status": "affected",
"version": "f8cc091e05305231c8f747ca253a90ff0cea60b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_fbdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix system suspend without fbdev being initialized\n\nIf fbdev is not initialized for some reason - in practice on platforms\nwithout display - suspending fbdev should be skipped during system\nsuspend, fix this up. While at it add an assert that suspending fbdev\nonly happens with the display present.\n\nThis fixes the following:\n\n[ 91.227923] PM: suspend entry (s2idle)\n[ 91.254598] Filesystems sync: 0.025 seconds\n[ 91.270518] Freezing user space processes\n[ 91.272266] Freezing user space processes completed (elapsed 0.001 seconds)\n[ 91.272686] OOM killer disabled.\n[ 91.272872] Freezing remaining freezable tasks\n[ 91.274295] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)\n[ 91.659622] BUG: kernel NULL pointer dereference, address: 00000000000001c8\n[ 91.659981] #PF: supervisor write access in kernel mode\n[ 91.660252] #PF: error_code(0x0002) - not-present page\n[ 91.660511] PGD 0 P4D 0\n[ 91.660647] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[ 91.660875] CPU: 4 PID: 917 Comm: bash Not tainted 6.2.0-rc7+ #54\n[ 91.661185] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20221117gitfff6d81270b5-9.fc37 unknown\n[ 91.661680] RIP: 0010:mutex_lock+0x19/0x30\n[ 91.661914] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 53 48 89 fb e8 62 d3 ff ff 31 c0 65 48 8b 14 25 00 15 03 00 \u003cf0\u003e 48 0f b1 13 75 06 5b c3 cc cc cc cc 48 89 df 5b eb b4 0f 1f 40\n[ 91.662840] RSP: 0018:ffffa1e8011ffc08 EFLAGS: 00010246\n[ 91.663087] RAX: 0000000000000000 RBX: 00000000000001c8 RCX: 0000000000000000\n[ 91.663440] RDX: ffff8be455eb0000 RSI: 0000000000000001 RDI: 00000000000001c8\n[ 91.663802] RBP: ffff8be459440000 R08: ffff8be459441f08 R09: ffffffff8e1432c0\n[ 91.664167] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n[ 91.664532] R13: 00000000000001c8 R14: 0000000000000000 R15: ffff8be442f4fb20\n[ 91.664905] FS: 00007f28ffc16740(0000) GS:ffff8be4bb900000(0000) knlGS:0000000000000000\n[ 91.665334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 91.665626] CR2: 00000000000001c8 CR3: 0000000114926006 CR4: 0000000000770ee0\n[ 91.665988] PKRU: 55555554\n[ 91.666131] Call Trace:\n[ 91.666265] \u003cTASK\u003e\n[ 91.666381] intel_fbdev_set_suspend+0x97/0x1b0 [i915]\n[ 91.666738] i915_drm_suspend+0xb9/0x100 [i915]\n[ 91.667029] pci_pm_suspend+0x78/0x170\n[ 91.667234] ? __pfx_pci_pm_suspend+0x10/0x10\n[ 91.667461] dpm_run_callback+0x47/0x150\n[ 91.667673] __device_suspend+0x10a/0x4e0\n[ 91.667880] dpm_suspend+0x134/0x270\n[ 91.668069] dpm_suspend_start+0x79/0x80\n[ 91.668272] suspend_devices_and_enter+0x11b/0x890\n[ 91.668526] pm_suspend.cold+0x270/0x2fc\n[ 91.668737] state_store+0x46/0x90\n[ 91.668916] kernfs_fop_write_iter+0x11b/0x200\n[ 91.669153] vfs_write+0x1e1/0x3a0\n[ 91.669336] ksys_write+0x53/0xd0\n[ 91.669510] do_syscall_64+0x58/0xc0\n[ 91.669699] ? syscall_exit_to_user_mode_prepare+0x18e/0x1c0\n[ 91.669980] ? syscall_exit_to_user_mode_prepare+0x18e/0x1c0\n[ 91.670278] ? syscall_exit_to_user_mode+0x17/0x40\n[ 91.670524] ? do_syscall_64+0x67/0xc0\n[ 91.670717] ? __irq_exit_rcu+0x3d/0x140\n[ 91.670931] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 91.671202] RIP: 0033:0x7f28ffd14284\n\nv2: CC stable. (Jani)\n\nReferences: https://gitlab.freedesktop.org/drm/intel/-/issues/8015\n(cherry picked from commit 9542d708409a41449e99c9a464deb5e062c4bee2)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:33.220Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27b5871abd5cc068c549fd23062c82e257fc0b9c"
},
{
"url": "https://git.kernel.org/stable/c/8ed572d5a0f1509e691a75a0e3d3588050371f1e"
},
{
"url": "https://git.kernel.org/stable/c/8038510b1fe443ffbc0e356db5f47cbb8678a594"
}
],
"title": "drm/i915: Fix system suspend without fbdev being initialized",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53678",
"datePublished": "2025-10-07T15:21:33.220Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:33.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50527 (GCVE-0-2022-50527)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix size validation for non-exclusive domains (v4)
Fix amdgpu_bo_validate_size() to check whether the TTM domain manager for the
requested memory exists, else we get a kernel oops when dereferencing "man".
v2: Make the patch standalone, i.e. not dependent on local patches.
v3: Preserve old behaviour and just check that the manager pointer is not
NULL.
v4: Complain if GTT domain requested and it is uninitialized--most likely a
bug.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80546eef216854a7bd47e39e828f04b406c00599",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7554886daa31eacc8e7fac9e15bbce67d10b8f1f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix size validation for non-exclusive domains (v4)\n\nFix amdgpu_bo_validate_size() to check whether the TTM domain manager for the\nrequested memory exists, else we get a kernel oops when dereferencing \"man\".\n\nv2: Make the patch standalone, i.e. not dependent on local patches.\nv3: Preserve old behaviour and just check that the manager pointer is not\n NULL.\nv4: Complain if GTT domain requested and it is uninitialized--most likely a\n bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:19.238Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80546eef216854a7bd47e39e828f04b406c00599"
},
{
"url": "https://git.kernel.org/stable/c/8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1"
},
{
"url": "https://git.kernel.org/stable/c/7554886daa31eacc8e7fac9e15bbce67d10b8f1f"
}
],
"title": "drm/amdgpu: Fix size validation for non-exclusive domains (v4)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50527",
"datePublished": "2025-10-07T15:19:19.238Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:19.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53673 (GCVE-0-2023-53673)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: call disconnect callback before deleting conn
In hci_cs_disconnect, we do hci_conn_del even if disconnection failed.
ISO, L2CAP and SCO connections refer to the hci_conn without
hci_conn_get, so disconn_cfm must be called so they can clean up their
conn, otherwise use-after-free occurs.
ISO:
==========================================================
iso_sock_connect:880: sk 00000000eabd6557
iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
...
iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073
hci_dev_put:1487: hci0 orig refcnt 17
__iso_chan_add:214: conn 00000000b6251073
iso_sock_clear_timer:117: sock 00000000eabd6557 state 3
...
hci_rx_work:4085: hci0 Event packet
hci_event_packet:7601: hci0: event 0x0f
hci_cmd_status_evt:4346: hci0: opcode 0x0406
hci_cs_disconnect:2760: hci0: status 0x0c
hci_sent_cmd_data:3107: hci0 opcode 0x0406
hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560
hci_conn_unlink:1102: hci0: hcon 000000001696f1fd
hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2
hci_chan_list_flush:2780: hcon 000000001696f1fd
hci_dev_put:1487: hci0 orig refcnt 21
hci_dev_put:1487: hci0 orig refcnt 20
hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c
... <no iso_* activity on sk/conn> ...
iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557
BUG: kernel NULL pointer dereference, address: 0000000000000668
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth
==========================================================
L2CAP:
==================================================================
hci_cmd_status_evt:4359: hci0: opcode 0x0406
hci_cs_disconnect:2760: hci0: status 0x0c
hci_sent_cmd_data:3085: hci0 opcode 0x0406
hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585
hci_conn_unlink:1102: hci0: hcon ffff88800c999000
hci_chan_list_flush:2780: hcon ffff88800c999000
hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280
...
BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]
Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175
CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x90
print_report+0xcf/0x670
? __virt_addr_valid+0xf8/0x180
? hci_send_acl+0x2d/0x540 [bluetooth]
kasan_report+0xa8/0xe0
? hci_send_acl+0x2d/0x540 [bluetooth]
hci_send_acl+0x2d/0x540 [bluetooth]
? __pfx___lock_acquire+0x10/0x10
l2cap_chan_send+0x1fd/0x1300 [bluetooth]
? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]
? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]
? lock_release+0x1d5/0x3c0
? mark_held_locks+0x1a/0x90
l2cap_sock_sendmsg+0x100/0x170 [bluetooth]
sock_write_iter+0x275/0x280
? __pfx_sock_write_iter+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
do_iter_readv_writev+0x176/0x220
? __pfx_do_iter_readv_writev+0x10/0x10
? find_held_lock+0x83/0xa0
? selinux_file_permission+0x13e/0x210
do_iter_write+0xda/0x340
vfs_writev+0x1b4/0x400
? __pfx_vfs_writev+0x10/0x10
? __seccomp_filter+0x112/0x750
? populate_seccomp_data+0x182/0x220
? __fget_light+0xdf/0x100
? do_writev+0x19d/0x210
do_writev+0x19d/0x210
? __pfx_do_writev+0x10/0x10
? mark_held_locks+0x1a/0x90
do_syscall_64+0x60/0x90
? lockdep_hardirqs_on_prepare+0x149/0x210
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on_prepare+0x149/0x210
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7ff45cb23e64
Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX:
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59bd1e476bbc7bc6dff3c61bba787095a4839796",
"status": "affected",
"version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
"versionType": "git"
},
{
"lessThan": "093a07052406b363b1b2ab489e17dbadaf3e509b",
"status": "affected",
"version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
"versionType": "git"
},
{
"lessThan": "7f7cfcb6f0825652973b780f248603e23f16ee90",
"status": "affected",
"version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: call disconnect callback before deleting conn\n\nIn hci_cs_disconnect, we do hci_conn_del even if disconnection failed.\n\nISO, L2CAP and SCO connections refer to the hci_conn without\nhci_conn_get, so disconn_cfm must be called so they can clean up their\nconn, otherwise use-after-free occurs.\n\nISO:\n==========================================================\niso_sock_connect:880: sk 00000000eabd6557\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073\nhci_dev_put:1487: hci0 orig refcnt 17\n__iso_chan_add:214: conn 00000000b6251073\niso_sock_clear_timer:117: sock 00000000eabd6557 state 3\n...\nhci_rx_work:4085: hci0 Event packet\nhci_event_packet:7601: hci0: event 0x0f\nhci_cmd_status_evt:4346: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3107: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560\nhci_conn_unlink:1102: hci0: hcon 000000001696f1fd\nhci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2\nhci_chan_list_flush:2780: hcon 000000001696f1fd\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_dev_put:1487: hci0 orig refcnt 20\nhci_req_cmd_complete:3978: opcode 0x0406 status 0x0c\n... \u003cno iso_* activity on sk/conn\u003e ...\niso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557\nBUG: kernel NULL pointer dereference, address: 0000000000000668\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth\n==========================================================\n\nL2CAP:\n==================================================================\nhci_cmd_status_evt:4359: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3085: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585\nhci_conn_unlink:1102: hci0: hcon ffff88800c999000\nhci_chan_list_flush:2780: hcon ffff88800c999000\nhci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280\n...\nBUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]\nRead of size 8 at addr ffff888018ddd298 by task bluetoothd/1175\n\nCPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0xf8/0x180\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n kasan_report+0xa8/0xe0\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n hci_send_acl+0x2d/0x540 [bluetooth]\n ? __pfx___lock_acquire+0x10/0x10\n l2cap_chan_send+0x1fd/0x1300 [bluetooth]\n ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]\n ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]\n ? lock_release+0x1d5/0x3c0\n ? mark_held_locks+0x1a/0x90\n l2cap_sock_sendmsg+0x100/0x170 [bluetooth]\n sock_write_iter+0x275/0x280\n ? __pfx_sock_write_iter+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n do_iter_readv_writev+0x176/0x220\n ? __pfx_do_iter_readv_writev+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? selinux_file_permission+0x13e/0x210\n do_iter_write+0xda/0x340\n vfs_writev+0x1b4/0x400\n ? __pfx_vfs_writev+0x10/0x10\n ? __seccomp_filter+0x112/0x750\n ? populate_seccomp_data+0x182/0x220\n ? __fget_light+0xdf/0x100\n ? do_writev+0x19d/0x210\n do_writev+0x19d/0x210\n ? __pfx_do_writev+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0x60/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n ? do_syscall_64+0x6c/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7ff45cb23e64\nCode: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\nRSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:29.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59bd1e476bbc7bc6dff3c61bba787095a4839796"
},
{
"url": "https://git.kernel.org/stable/c/093a07052406b363b1b2ab489e17dbadaf3e509b"
},
{
"url": "https://git.kernel.org/stable/c/7f7cfcb6f0825652973b780f248603e23f16ee90"
}
],
"title": "Bluetooth: hci_event: call disconnect callback before deleting conn",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53673",
"datePublished": "2025-10-07T15:21:29.632Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:29.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53661 (GCVE-0-2023-53661)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt: avoid overflow in bnxt_get_nvram_directory()
The value of an arithmetic expression is subject
of possible overflow due to a failure to cast operands to a larger data
type before performing arithmetic. Used macro for multiplication instead
operator for avoiding overflow.
Found by Security Code and Linux Verification
Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5eaf2a6b077f32a477feb1e9e1c1f60605b460e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efb1a257513438d43f4335f09b2f684e8167cad2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17e0453a7523ad7a25bb47af941b150a6c66d7b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c6dddc239abe660598c49ec95ea0ed6399a4b2a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: avoid overflow in bnxt_get_nvram_directory()\n\nThe value of an arithmetic expression is subject\nof possible overflow due to a failure to cast operands to a larger data\ntype before performing arithmetic. Used macro for multiplication instead\noperator for avoiding overflow.\n\nFound by Security Code and Linux Verification\nCenter (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:20.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5eaf2a6b077f32a477feb1e9e1c1f60605b460e"
},
{
"url": "https://git.kernel.org/stable/c/efb1a257513438d43f4335f09b2f684e8167cad2"
},
{
"url": "https://git.kernel.org/stable/c/17e0453a7523ad7a25bb47af941b150a6c66d7b6"
},
{
"url": "https://git.kernel.org/stable/c/7c6dddc239abe660598c49ec95ea0ed6399a4b2a"
}
],
"title": "bnxt: avoid overflow in bnxt_get_nvram_directory()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53661",
"datePublished": "2025-10-07T15:21:20.987Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:20.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53636 (GCVE-0-2023-53636)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: microchip: fix potential UAF in auxdev release callback
Similar to commit 1c11289b34ab ("peci: cpu: Fix use-after-free in
adev_release()"), the auxiliary device is not torn down in the correct
order. If auxiliary_device_add() fails, the release callback will be
called twice, resulting in a UAF. Due to timing, the auxdev code in this
driver "took inspiration" from the aforementioned commit, and thus its
bugs too!
Moving auxiliary_device_uninit() to the unregister callback instead
avoids the issue.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/microchip/clk-mpfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b4052aa956e11bcd19e50ca559eb38dcb46201b",
"status": "affected",
"version": "b56bae2dd6fda6baf3bb74af3812676eebdd52f2",
"versionType": "git"
},
{
"lessThan": "d7d6dacf39ed102d7667721ca1700022c9c8b11a",
"status": "affected",
"version": "b56bae2dd6fda6baf3bb74af3812676eebdd52f2",
"versionType": "git"
},
{
"lessThan": "934406b2d42eaf3fc57f5546cc68ff7ab9680bb3",
"status": "affected",
"version": "b56bae2dd6fda6baf3bb74af3812676eebdd52f2",
"versionType": "git"
},
{
"lessThan": "7455b7007b9e93bcc2bc9c1c6c73a228e3152069",
"status": "affected",
"version": "b56bae2dd6fda6baf3bb74af3812676eebdd52f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/microchip/clk-mpfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: microchip: fix potential UAF in auxdev release callback\n\nSimilar to commit 1c11289b34ab (\"peci: cpu: Fix use-after-free in\nadev_release()\"), the auxiliary device is not torn down in the correct\norder. If auxiliary_device_add() fails, the release callback will be\ncalled twice, resulting in a UAF. Due to timing, the auxdev code in this\ndriver \"took inspiration\" from the aforementioned commit, and thus its\nbugs too!\n\nMoving auxiliary_device_uninit() to the unregister callback instead\navoids the issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:37.655Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b4052aa956e11bcd19e50ca559eb38dcb46201b"
},
{
"url": "https://git.kernel.org/stable/c/d7d6dacf39ed102d7667721ca1700022c9c8b11a"
},
{
"url": "https://git.kernel.org/stable/c/934406b2d42eaf3fc57f5546cc68ff7ab9680bb3"
},
{
"url": "https://git.kernel.org/stable/c/7455b7007b9e93bcc2bc9c1c6c73a228e3152069"
}
],
"title": "clk: microchip: fix potential UAF in auxdev release callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53636",
"datePublished": "2025-10-07T15:19:37.655Z",
"dateReserved": "2025-10-07T15:16:59.657Z",
"dateUpdated": "2025-10-07T15:19:37.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53646 (GCVE-0-2023-53646)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/perf: add sentinel to xehp_oa_b_counters
Arrays passed to reg_in_range_table should end with empty record.
The patch solves KASAN detected bug with signature:
BUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]
Read of size 4 at addr ffffffffa1555d90 by task perf/1518
CPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1
Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023
Call Trace:
<TASK>
...
xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]
(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_perf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21d92025e80629fd5c25cd6751f8cf38c784dd4a",
"status": "affected",
"version": "0fa9349dda030fa847b36f880a5eea25c3202b66",
"versionType": "git"
},
{
"lessThan": "785b3f667b4bf98804cad135005e964df0c750de",
"status": "affected",
"version": "0fa9349dda030fa847b36f880a5eea25c3202b66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_perf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/perf: add sentinel to xehp_oa_b_counters\n\nArrays passed to reg_in_range_table should end with empty record.\n\nThe patch solves KASAN detected bug with signature:\nBUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\nRead of size 4 at addr ffffffffa1555d90 by task perf/1518\n\nCPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1\nHardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023\nCall Trace:\n\u003cTASK\u003e\n...\nxehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\n\n(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:44.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21d92025e80629fd5c25cd6751f8cf38c784dd4a"
},
{
"url": "https://git.kernel.org/stable/c/785b3f667b4bf98804cad135005e964df0c750de"
}
],
"title": "drm/i915/perf: add sentinel to xehp_oa_b_counters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53646",
"datePublished": "2025-10-07T15:19:44.412Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:44.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50513 (GCVE-0-2022-50513)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
In rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated
in failure, then `pcmdpriv->cmd_allocated_buf` will be not properly
released. Besides, considering there are only two error paths and the
first one can directly return, so we do not need implicitly jump to the
`exit` tag to execute the error handler.
So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error
path to release the resource and simplified the return logic of
rtw_init_cmd_priv(). As there is no proper device to test with, no runtime
testing was performed.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5d8f05edb36fc4ab15beec62cb6ab62f5a60fe2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6cc39db24a63f68314473621020ed8cad7be423",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39bef9c6a91bbb790d04c1347cfeae584541fb6a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5be64ff6d21f7805a91e6d81f53fc19cd9f0fae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8db6ca84eee0ac258706f3fca54f7c021cb159ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "708056fba733a73d926772ea4ce9a42d240345da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()\n\nIn rtw_init_cmd_priv(), if `pcmdpriv-\u003ersp_allocated_buf` is allocated\nin failure, then `pcmdpriv-\u003ecmd_allocated_buf` will be not properly\nreleased. Besides, considering there are only two error paths and the\nfirst one can directly return, so we do not need implicitly jump to the\n`exit` tag to execute the error handler.\n\nSo this patch added `kfree(pcmdpriv-\u003ecmd_allocated_buf);` on the error\npath to release the resource and simplified the return logic of\nrtw_init_cmd_priv(). As there is no proper device to test with, no runtime\ntesting was performed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:09.547Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5d8f05edb36fc4ab15beec62cb6ab62f5a60fe2"
},
{
"url": "https://git.kernel.org/stable/c/e6cc39db24a63f68314473621020ed8cad7be423"
},
{
"url": "https://git.kernel.org/stable/c/39bef9c6a91bbb790d04c1347cfeae584541fb6a"
},
{
"url": "https://git.kernel.org/stable/c/a5be64ff6d21f7805a91e6d81f53fc19cd9f0fae"
},
{
"url": "https://git.kernel.org/stable/c/8db6ca84eee0ac258706f3fca54f7c021cb159ef"
},
{
"url": "https://git.kernel.org/stable/c/708056fba733a73d926772ea4ce9a42d240345da"
}
],
"title": "staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50513",
"datePublished": "2025-10-07T15:19:09.547Z",
"dateReserved": "2025-10-07T15:14:58.492Z",
"dateUpdated": "2025-10-07T15:19:09.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53631 (GCVE-0-2023-53631)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: dell-sysman: Fix reference leak
If a duplicate attribute is found using kset_find_obj(),
a reference to that attribute is returned. This means
that we need to dispose it accordingly. Use kobject_put()
to dispose the duplicate attribute in such a case.
Compile-tested only.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/dell/dell-wmi-sysman/sysman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d079a3e1ccdd183b75db4f5289be347980b45284",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "6ced15ff1746006476f1407fe722911a45a7874d",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "c5402011992bcc2b5614fe7fef24f9cdaec7473b",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "9d9e03bec147407826266580e7d6ec427241d859",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "7295a996fdab7bf83dc3d4078fa8b139b8e0a1bf",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/dell/dell-wmi-sysman/sysman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-sysman: Fix reference leak\n\nIf a duplicate attribute is found using kset_find_obj(),\na reference to that attribute is returned. This means\nthat we need to dispose it accordingly. Use kobject_put()\nto dispose the duplicate attribute in such a case.\n\nCompile-tested only."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:34.289Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d079a3e1ccdd183b75db4f5289be347980b45284"
},
{
"url": "https://git.kernel.org/stable/c/6ced15ff1746006476f1407fe722911a45a7874d"
},
{
"url": "https://git.kernel.org/stable/c/c5402011992bcc2b5614fe7fef24f9cdaec7473b"
},
{
"url": "https://git.kernel.org/stable/c/9d9e03bec147407826266580e7d6ec427241d859"
},
{
"url": "https://git.kernel.org/stable/c/7295a996fdab7bf83dc3d4078fa8b139b8e0a1bf"
}
],
"title": "platform/x86: dell-sysman: Fix reference leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53631",
"datePublished": "2025-10-07T15:19:34.289Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:34.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53674 (GCVE-0-2023-53674)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: Fix memory leak in devm_clk_notifier_register()
devm_clk_notifier_register() allocates a devres resource for clk
notifier but didn't register that to the device, so the notifier didn't
get unregistered on device detach and the allocated resource was leaked.
Fix the issue by registering the resource through devres_add().
This issue was found with kmemleak on a Chromebook.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/clk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a326cf0107b197e649bbaa2a2b1355894826ce32",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
},
{
"lessThan": "49451db71b746df990888068961f1033f7c9b734",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
},
{
"lessThan": "cb1b04fd4283fc8f9acefe0ddc61ba072ed44877",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
},
{
"lessThan": "efbbda79b2881a04dcd0e8f28634933d79e17e49",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
},
{
"lessThan": "7fb933e56f77a57ef7cfc59fc34cbbf1b1fa31ff",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/clk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix memory leak in devm_clk_notifier_register()\n\ndevm_clk_notifier_register() allocates a devres resource for clk\nnotifier but didn\u0027t register that to the device, so the notifier didn\u0027t\nget unregistered on device detach and the allocated resource was leaked.\n\nFix the issue by registering the resource through devres_add().\n\nThis issue was found with kmemleak on a Chromebook."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:30.320Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a326cf0107b197e649bbaa2a2b1355894826ce32"
},
{
"url": "https://git.kernel.org/stable/c/49451db71b746df990888068961f1033f7c9b734"
},
{
"url": "https://git.kernel.org/stable/c/cb1b04fd4283fc8f9acefe0ddc61ba072ed44877"
},
{
"url": "https://git.kernel.org/stable/c/efbbda79b2881a04dcd0e8f28634933d79e17e49"
},
{
"url": "https://git.kernel.org/stable/c/7fb933e56f77a57ef7cfc59fc34cbbf1b1fa31ff"
}
],
"title": "clk: Fix memory leak in devm_clk_notifier_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53674",
"datePublished": "2025-10-07T15:21:30.320Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:30.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53626 (GCVE-0-2023-53626)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix possible double unlock when moving a directory
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8dac5a63cf79707b547ea3d425fead5f4482198f Version: 0c440f14558bfacd22c6935ae1fd4b2a09e96b5d Version: c50fc503ee1b97f12c98e26afc39fdaebebcf04f Version: b0bb13612292ca90fa4c2a7e425375649bc50d3e Version: 291cd19d107e197306869cb3237c1bba62d13182 Version: 0813299c586b175d7edb25f56412c54b812d0379 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c16cbd8233d6c58fc488545393e49b5d55729990",
"status": "affected",
"version": "8dac5a63cf79707b547ea3d425fead5f4482198f",
"versionType": "git"
},
{
"lessThan": "020166bc6669ca9fb267ebd96bd88c4fb64a5d46",
"status": "affected",
"version": "0c440f14558bfacd22c6935ae1fd4b2a09e96b5d",
"versionType": "git"
},
{
"lessThan": "1c93c42c7bb23057bde8a0a2ab834927ff64d20c",
"status": "affected",
"version": "c50fc503ee1b97f12c98e26afc39fdaebebcf04f",
"versionType": "git"
},
{
"lessThan": "e71eb4dca41f0f36823724ced0406bb2dbdd5506",
"status": "affected",
"version": "b0bb13612292ca90fa4c2a7e425375649bc50d3e",
"versionType": "git"
},
{
"lessThan": "43ce288ab5d7274a4a141d7f5e3ed2ab7b41f8a2",
"status": "affected",
"version": "291cd19d107e197306869cb3237c1bba62d13182",
"versionType": "git"
},
{
"lessThan": "70e42feab2e20618ddd0cbfc4ab4b08628236ecd",
"status": "affected",
"version": "0813299c586b175d7edb25f56412c54b812d0379",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.4.238",
"status": "affected",
"version": "5.4.237",
"versionType": "semver"
},
{
"lessThan": "5.10.176",
"status": "affected",
"version": "5.10.175",
"versionType": "semver"
},
{
"lessThan": "5.15.104",
"status": "affected",
"version": "5.15.103",
"versionType": "semver"
},
{
"lessThan": "6.1.21",
"status": "affected",
"version": "6.1.20",
"versionType": "semver"
},
{
"lessThan": "6.2.8",
"status": "affected",
"version": "6.2.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.238",
"versionStartIncluding": "5.4.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.176",
"versionStartIncluding": "5.10.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.104",
"versionStartIncluding": "5.15.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.21",
"versionStartIncluding": "6.1.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.8",
"versionStartIncluding": "6.2.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix possible double unlock when moving a directory"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:30.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c16cbd8233d6c58fc488545393e49b5d55729990"
},
{
"url": "https://git.kernel.org/stable/c/020166bc6669ca9fb267ebd96bd88c4fb64a5d46"
},
{
"url": "https://git.kernel.org/stable/c/1c93c42c7bb23057bde8a0a2ab834927ff64d20c"
},
{
"url": "https://git.kernel.org/stable/c/e71eb4dca41f0f36823724ced0406bb2dbdd5506"
},
{
"url": "https://git.kernel.org/stable/c/43ce288ab5d7274a4a141d7f5e3ed2ab7b41f8a2"
},
{
"url": "https://git.kernel.org/stable/c/70e42feab2e20618ddd0cbfc4ab4b08628236ecd"
}
],
"title": "ext4: fix possible double unlock when moving a directory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53626",
"datePublished": "2025-10-07T15:19:30.895Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:30.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53642 (GCVE-0-2023-53642)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-10 16:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86: fix clear_user_rep_good() exception handling annotation
This code no longer exists in mainline, because it was removed in
commit d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory
clearing") upstream.
However, rather than backport the full range of x86 memory clearing and
copying cleanups, fix the exception table annotation placement for the
final 'rep movsb' in clear_user_rep_good(): rather than pointing at the
actual instruction that did the user space access, it pointed to the
register move just before it.
That made sense from a code flow standpoint, but not from an actual
usage standpoint: it means that if user access takes an exception, the
exception handler won't actually find the instruction in the exception
tables.
As a result, rather than fixing it up and returning -EFAULT, it would
then turn it into a kernel oops report instead, something like:
BUG: unable to handle page fault for address: 0000000020081000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
...
RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147
...
Call Trace:
__clear_user arch/x86/include/asm/uaccess_64.h:103 [inline]
clear_user arch/x86/include/asm/uaccess_64.h:124 [inline]
iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800
iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline]
iomap_dio_iter fs/iomap/direct-io.c:440 [inline]
__iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601
iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689
ext4_dio_read_iter fs/ext4/file.c:94 [inline]
ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145
call_read_iter include/linux/fs.h:2183 [inline]
do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733
do_iter_read+0x2f2/0x750 fs/read_write.c:796
vfs_readv+0xe5/0x150 fs/read_write.c:916
do_preadv+0x1b6/0x270 fs/read_write.c:1008
__do_sys_preadv2 fs/read_write.c:1070 [inline]
__se_sys_preadv2 fs/read_write.c:1061 [inline]
__x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which then looks like a filesystem bug rather than the incorrect
exception annotation that it is.
[ The alternative to this one-liner fix is to take the upstream series
that cleans this all up:
68674f94ffc9 ("x86: don't use REP_GOOD or ERMS for small memory copies")
20f3337d350c ("x86: don't use REP_GOOD or ERMS for small memory clearing")
adfcf4231b8c ("x86: don't use REP_GOOD or ERMS for user memory copies")
* d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing")
3639a535587d ("x86: move stac/clac from user copy routines into callers")
577e6a7fd50d ("x86: inline the 'rep movs' in user copies for the FSRM case")
8c9b6a88b7e2 ("x86: improve on the non-rep 'clear_user' function")
427fda2c8a49 ("x86: improve on the non-rep 'copy_user' function")
* e046fe5a36a9 ("x86: set FSRS automatically on AMD CPUs that have FSRM")
e1f2750edc4a ("x86: remove 'zerorest' argument from __copy_user_nocache()")
034ff37d3407 ("x86: rewrite '__copy_user_nocache' function")
with either the whole series or at a minimum the two marked commits
being needed to fix this issue ]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/lib/clear_page_64.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76ce32682635fe907e0f8e64e039e773e5c7508f",
"status": "affected",
"version": "0db7058e8e23e6bbab1b4747ecabd1784c34f50b",
"versionType": "git"
},
{
"lessThan": "e046fe5a36a970bc14fbfbcb2074a48776f6b671",
"status": "affected",
"version": "0db7058e8e23e6bbab1b4747ecabd1784c34f50b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/lib/clear_page_64.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: fix clear_user_rep_good() exception handling annotation\n\nThis code no longer exists in mainline, because it was removed in\ncommit d2c95f9d6802 (\"x86: don\u0027t use REP_GOOD or ERMS for user memory\nclearing\") upstream.\n\nHowever, rather than backport the full range of x86 memory clearing and\ncopying cleanups, fix the exception table annotation placement for the\nfinal \u0027rep movsb\u0027 in clear_user_rep_good(): rather than pointing at the\nactual instruction that did the user space access, it pointed to the\nregister move just before it.\n\nThat made sense from a code flow standpoint, but not from an actual\nusage standpoint: it means that if user access takes an exception, the\nexception handler won\u0027t actually find the instruction in the exception\ntables.\n\nAs a result, rather than fixing it up and returning -EFAULT, it would\nthen turn it into a kernel oops report instead, something like:\n\n BUG: unable to handle page fault for address: 0000000020081000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n ...\n RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147\n ...\n Call Trace:\n __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline]\n clear_user arch/x86/include/asm/uaccess_64.h:124 [inline]\n iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800\n iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline]\n iomap_dio_iter fs/iomap/direct-io.c:440 [inline]\n __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601\n iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689\n ext4_dio_read_iter fs/ext4/file.c:94 [inline]\n ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145\n call_read_iter include/linux/fs.h:2183 [inline]\n do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733\n do_iter_read+0x2f2/0x750 fs/read_write.c:796\n vfs_readv+0xe5/0x150 fs/read_write.c:916\n do_preadv+0x1b6/0x270 fs/read_write.c:1008\n __do_sys_preadv2 fs/read_write.c:1070 [inline]\n __se_sys_preadv2 fs/read_write.c:1061 [inline]\n __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nwhich then looks like a filesystem bug rather than the incorrect\nexception annotation that it is.\n\n[ The alternative to this one-liner fix is to take the upstream series\n that cleans this all up:\n\n 68674f94ffc9 (\"x86: don\u0027t use REP_GOOD or ERMS for small memory copies\")\n 20f3337d350c (\"x86: don\u0027t use REP_GOOD or ERMS for small memory clearing\")\n adfcf4231b8c (\"x86: don\u0027t use REP_GOOD or ERMS for user memory copies\")\n * d2c95f9d6802 (\"x86: don\u0027t use REP_GOOD or ERMS for user memory clearing\")\n 3639a535587d (\"x86: move stac/clac from user copy routines into callers\")\n 577e6a7fd50d (\"x86: inline the \u0027rep movs\u0027 in user copies for the FSRM case\")\n 8c9b6a88b7e2 (\"x86: improve on the non-rep \u0027clear_user\u0027 function\")\n 427fda2c8a49 (\"x86: improve on the non-rep \u0027copy_user\u0027 function\")\n * e046fe5a36a9 (\"x86: set FSRS automatically on AMD CPUs that have FSRM\")\n e1f2750edc4a (\"x86: remove \u0027zerorest\u0027 argument from __copy_user_nocache()\")\n 034ff37d3407 (\"x86: rewrite \u0027__copy_user_nocache\u0027 function\")\n\n with either the whole series or at a minimum the two marked commits\n being needed to fix this issue ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T16:10:26.276Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76ce32682635fe907e0f8e64e039e773e5c7508f"
},
{
"url": "https://git.kernel.org/stable/c/e046fe5a36a970bc14fbfbcb2074a48776f6b671"
}
],
"title": "x86: fix clear_user_rep_good() exception handling annotation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53642",
"datePublished": "2025-10-07T15:19:41.693Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-10T16:10:26.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50524 (GCVE-0-2022-50524)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: Check return value after calling platform_get_resource()
platform_get_resource() may return NULL pointer, we need check its
return value to avoid null-ptr-deref in resource_size().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bfebf05883cdcf9ac983033987fae869bd59ca53",
"status": "affected",
"version": "42d57fc58aebc5801804424082028f43bad1b73c",
"versionType": "git"
},
{
"lessThan": "feca904412483b2e0a903dd1f2e2843afd445f8c",
"status": "affected",
"version": "42d57fc58aebc5801804424082028f43bad1b73c",
"versionType": "git"
},
{
"lessThan": "73b6924cdebc899de9b719e1319aa86c6bed4acf",
"status": "affected",
"version": "42d57fc58aebc5801804424082028f43bad1b73c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Check return value after calling platform_get_resource()\n\nplatform_get_resource() may return NULL pointer, we need check its\nreturn value to avoid null-ptr-deref in resource_size()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:17.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bfebf05883cdcf9ac983033987fae869bd59ca53"
},
{
"url": "https://git.kernel.org/stable/c/feca904412483b2e0a903dd1f2e2843afd445f8c"
},
{
"url": "https://git.kernel.org/stable/c/73b6924cdebc899de9b719e1319aa86c6bed4acf"
}
],
"title": "iommu/mediatek: Check return value after calling platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50524",
"datePublished": "2025-10-07T15:19:17.251Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:17.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53622 (GCVE-0-2023-53622)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix possible data races in gfs2_show_options()
Some fields such as gt_logd_secs of the struct gfs2_tune are accessed
without holding the lock gt_spin in gfs2_show_options():
val = sdp->sd_tune.gt_logd_secs;
if (val != 30)
seq_printf(s, ",commit=%d", val);
And thus can cause data races when gfs2_show_options() and other functions
such as gfs2_reconfigure() are concurrently executed:
spin_lock(>->gt_spin);
gt->gt_logd_secs = newargs->ar_commit;
To fix these possible data races, the lock sdp->sd_tune.gt_spin is
acquired before accessing the fields of gfs2_tune and released after these
accesses.
Further changes by Andreas:
- Don't hold the spin lock over the seq_printf operations.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e5bbeb7eb813bb2568e1d5d02587df943272e57",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "235a5ae73cea29109a3e06f100493f17857e6a93",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b4a7ab57effbed42624842f2ab2a49b177c21a47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c5b2649f6a37d45bfb7abf34c9b71d08677139f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "85e888150075cb221270b64bf772341fc6bd11d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4f71523ed2123d63b431cc0cea4e9f363a0f054",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "42077d4de49e4d9c773c97c42d5383b4899a8f9d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6fa0a72cbbe45db4ed967a51f9e6f4e3afe61d20",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix possible data races in gfs2_show_options()\n\nSome fields such as gt_logd_secs of the struct gfs2_tune are accessed\nwithout holding the lock gt_spin in gfs2_show_options():\n\n val = sdp-\u003esd_tune.gt_logd_secs;\n if (val != 30)\n seq_printf(s, \",commit=%d\", val);\n\nAnd thus can cause data races when gfs2_show_options() and other functions\nsuch as gfs2_reconfigure() are concurrently executed:\n\n spin_lock(\u0026gt-\u003egt_spin);\n gt-\u003egt_logd_secs = newargs-\u003ear_commit;\n\nTo fix these possible data races, the lock sdp-\u003esd_tune.gt_spin is\nacquired before accessing the fields of gfs2_tune and released after these\naccesses.\n\nFurther changes by Andreas:\n\n- Don\u0027t hold the spin lock over the seq_printf operations."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:28.146Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e5bbeb7eb813bb2568e1d5d02587df943272e57"
},
{
"url": "https://git.kernel.org/stable/c/235a5ae73cea29109a3e06f100493f17857e6a93"
},
{
"url": "https://git.kernel.org/stable/c/b4a7ab57effbed42624842f2ab2a49b177c21a47"
},
{
"url": "https://git.kernel.org/stable/c/7c5b2649f6a37d45bfb7abf34c9b71d08677139f"
},
{
"url": "https://git.kernel.org/stable/c/85e888150075cb221270b64bf772341fc6bd11d9"
},
{
"url": "https://git.kernel.org/stable/c/a4f71523ed2123d63b431cc0cea4e9f363a0f054"
},
{
"url": "https://git.kernel.org/stable/c/42077d4de49e4d9c773c97c42d5383b4899a8f9d"
},
{
"url": "https://git.kernel.org/stable/c/6fa0a72cbbe45db4ed967a51f9e6f4e3afe61d20"
}
],
"title": "gfs2: Fix possible data races in gfs2_show_options()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53622",
"datePublished": "2025-10-07T15:19:28.146Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:28.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53647 (GCVE-0-2023-53647)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Don't dereference ACPI root object handle
Since the commit referenced in the Fixes: tag below the VMBus client driver
is walking the ACPI namespace up from the VMBus ACPI device to the ACPI
namespace root object trying to find Hyper-V MMIO ranges.
However, if it is not able to find them it ends trying to walk resources of
the ACPI namespace root object itself.
This object has all-ones handle, which causes a NULL pointer dereference
in the ACPI code (from dereferencing this pointer with an offset).
This in turn causes an oops on boot with VMBus host implementations that do
not provide Hyper-V MMIO ranges in their VMBus ACPI device or its
ancestors.
The QEMU VMBus implementation is an example of such implementation.
I guess providing these ranges is optional, since all tested Windows
versions seem to be able to use VMBus devices without them.
Fix this by explicitly terminating the lookup at the ACPI namespace root
object.
Note that Linux guests under KVM/QEMU do not use the Hyper-V PV interface
by default - they only do so if the KVM PV interface is missing or
disabled.
Example stack trace of such oops:
[ 3.710827] ? __die+0x1f/0x60
[ 3.715030] ? page_fault_oops+0x159/0x460
[ 3.716008] ? exc_page_fault+0x73/0x170
[ 3.716959] ? asm_exc_page_fault+0x22/0x30
[ 3.717957] ? acpi_ns_lookup+0x7a/0x4b0
[ 3.718898] ? acpi_ns_internalize_name+0x79/0xc0
[ 3.720018] acpi_ns_get_node_unlocked+0xb5/0xe0
[ 3.721120] ? acpi_ns_check_object_type+0xfe/0x200
[ 3.722285] ? acpi_rs_convert_aml_to_resource+0x37/0x6e0
[ 3.723559] ? down_timeout+0x3a/0x60
[ 3.724455] ? acpi_ns_get_node+0x3a/0x60
[ 3.725412] acpi_ns_get_node+0x3a/0x60
[ 3.726335] acpi_ns_evaluate+0x1c3/0x2c0
[ 3.727295] acpi_ut_evaluate_object+0x64/0x1b0
[ 3.728400] acpi_rs_get_method_data+0x2b/0x70
[ 3.729476] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]
[ 3.730940] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]
[ 3.732411] acpi_walk_resources+0x78/0xd0
[ 3.733398] vmbus_platform_driver_probe+0x9f/0x1d0 [hv_vmbus]
[ 3.734802] platform_probe+0x3d/0x90
[ 3.735684] really_probe+0x19b/0x400
[ 3.736570] ? __device_attach_driver+0x100/0x100
[ 3.737697] __driver_probe_device+0x78/0x160
[ 3.738746] driver_probe_device+0x1f/0x90
[ 3.739743] __driver_attach+0xc2/0x1b0
[ 3.740671] bus_for_each_dev+0x70/0xc0
[ 3.741601] bus_add_driver+0x10e/0x210
[ 3.742527] driver_register+0x55/0xf0
[ 3.744412] ? 0xffffffffc039a000
[ 3.745207] hv_acpi_init+0x3c/0x1000 [hv_vmbus]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96db43aced395844a7abc9a0a5cc702513e3534a",
"status": "affected",
"version": "7f163a6fd957a85f7f66a129db1ad243a44399ee",
"versionType": "git"
},
{
"lessThan": "9fc162c59edc841032a3553eb2334320abab0784",
"status": "affected",
"version": "7f163a6fd957a85f7f66a129db1ad243a44399ee",
"versionType": "git"
},
{
"lessThan": "64f09d45e94547fbf219f36d1d02ac42742c028c",
"status": "affected",
"version": "7f163a6fd957a85f7f66a129db1ad243a44399ee",
"versionType": "git"
},
{
"lessThan": "78e04bbff849b51b56f5925b1945db2c6e128b61",
"status": "affected",
"version": "7f163a6fd957a85f7f66a129db1ad243a44399ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Don\u0027t dereference ACPI root object handle\n\nSince the commit referenced in the Fixes: tag below the VMBus client driver\nis walking the ACPI namespace up from the VMBus ACPI device to the ACPI\nnamespace root object trying to find Hyper-V MMIO ranges.\n\nHowever, if it is not able to find them it ends trying to walk resources of\nthe ACPI namespace root object itself.\nThis object has all-ones handle, which causes a NULL pointer dereference\nin the ACPI code (from dereferencing this pointer with an offset).\n\nThis in turn causes an oops on boot with VMBus host implementations that do\nnot provide Hyper-V MMIO ranges in their VMBus ACPI device or its\nancestors.\nThe QEMU VMBus implementation is an example of such implementation.\n\nI guess providing these ranges is optional, since all tested Windows\nversions seem to be able to use VMBus devices without them.\n\nFix this by explicitly terminating the lookup at the ACPI namespace root\nobject.\n\nNote that Linux guests under KVM/QEMU do not use the Hyper-V PV interface\nby default - they only do so if the KVM PV interface is missing or\ndisabled.\n\nExample stack trace of such oops:\n[ 3.710827] ? __die+0x1f/0x60\n[ 3.715030] ? page_fault_oops+0x159/0x460\n[ 3.716008] ? exc_page_fault+0x73/0x170\n[ 3.716959] ? asm_exc_page_fault+0x22/0x30\n[ 3.717957] ? acpi_ns_lookup+0x7a/0x4b0\n[ 3.718898] ? acpi_ns_internalize_name+0x79/0xc0\n[ 3.720018] acpi_ns_get_node_unlocked+0xb5/0xe0\n[ 3.721120] ? acpi_ns_check_object_type+0xfe/0x200\n[ 3.722285] ? acpi_rs_convert_aml_to_resource+0x37/0x6e0\n[ 3.723559] ? down_timeout+0x3a/0x60\n[ 3.724455] ? acpi_ns_get_node+0x3a/0x60\n[ 3.725412] acpi_ns_get_node+0x3a/0x60\n[ 3.726335] acpi_ns_evaluate+0x1c3/0x2c0\n[ 3.727295] acpi_ut_evaluate_object+0x64/0x1b0\n[ 3.728400] acpi_rs_get_method_data+0x2b/0x70\n[ 3.729476] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]\n[ 3.730940] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]\n[ 3.732411] acpi_walk_resources+0x78/0xd0\n[ 3.733398] vmbus_platform_driver_probe+0x9f/0x1d0 [hv_vmbus]\n[ 3.734802] platform_probe+0x3d/0x90\n[ 3.735684] really_probe+0x19b/0x400\n[ 3.736570] ? __device_attach_driver+0x100/0x100\n[ 3.737697] __driver_probe_device+0x78/0x160\n[ 3.738746] driver_probe_device+0x1f/0x90\n[ 3.739743] __driver_attach+0xc2/0x1b0\n[ 3.740671] bus_for_each_dev+0x70/0xc0\n[ 3.741601] bus_add_driver+0x10e/0x210\n[ 3.742527] driver_register+0x55/0xf0\n[ 3.744412] ? 0xffffffffc039a000\n[ 3.745207] hv_acpi_init+0x3c/0x1000 [hv_vmbus]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:45.083Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96db43aced395844a7abc9a0a5cc702513e3534a"
},
{
"url": "https://git.kernel.org/stable/c/9fc162c59edc841032a3553eb2334320abab0784"
},
{
"url": "https://git.kernel.org/stable/c/64f09d45e94547fbf219f36d1d02ac42742c028c"
},
{
"url": "https://git.kernel.org/stable/c/78e04bbff849b51b56f5925b1945db2c6e128b61"
}
],
"title": "Drivers: hv: vmbus: Don\u0027t dereference ACPI root object handle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53647",
"datePublished": "2025-10-07T15:19:45.083Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:45.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53639 (GCVE-0-2023-53639)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath6kl: reduce WARN to dev_dbg() in callback
The warn is triggered on a known race condition, documented in the code above
the test, that is correctly handled. Using WARN() hinders automated testing.
Reducing severity.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath6kl/htc_pipe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2a429e6da37e32438a9adc250cc176a889c16a4",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "e7865f84adaf75cee1a4bbf79680329eca92b4e1",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "0d1792c98351b7c8ebdc53d052918e77d1e512c3",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "1300517e371e4d0acdb0f1237477e1ed223c3a9a",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "484d95c69fc1143f09e4c2e3b89019d68d190a92",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "644df7e865e76ab7a62c67c25cbbc093c944d0ef",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "6f93154d61b345acbc405c6dee16afb845eb298e",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "cbec770521ebc455c9811a23222faf8911422d4a",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "75c4a8154cb6c7239fb55d5550f481f6765fb83c",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath6kl/htc_pipe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath6kl: reduce WARN to dev_dbg() in callback\n\nThe warn is triggered on a known race condition, documented in the code above\nthe test, that is correctly handled. Using WARN() hinders automated testing.\nReducing severity."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:39.664Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2a429e6da37e32438a9adc250cc176a889c16a4"
},
{
"url": "https://git.kernel.org/stable/c/e7865f84adaf75cee1a4bbf79680329eca92b4e1"
},
{
"url": "https://git.kernel.org/stable/c/0d1792c98351b7c8ebdc53d052918e77d1e512c3"
},
{
"url": "https://git.kernel.org/stable/c/1300517e371e4d0acdb0f1237477e1ed223c3a9a"
},
{
"url": "https://git.kernel.org/stable/c/484d95c69fc1143f09e4c2e3b89019d68d190a92"
},
{
"url": "https://git.kernel.org/stable/c/644df7e865e76ab7a62c67c25cbbc093c944d0ef"
},
{
"url": "https://git.kernel.org/stable/c/6f93154d61b345acbc405c6dee16afb845eb298e"
},
{
"url": "https://git.kernel.org/stable/c/cbec770521ebc455c9811a23222faf8911422d4a"
},
{
"url": "https://git.kernel.org/stable/c/75c4a8154cb6c7239fb55d5550f481f6765fb83c"
}
],
"title": "wifi: ath6kl: reduce WARN to dev_dbg() in callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53639",
"datePublished": "2025-10-07T15:19:39.664Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:39.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50533 (GCVE-0-2022-50533)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: mlme: fix null-ptr deref on failed assoc
If association to an AP without a link 0 fails, then we crash in
tracing because it assumes that either ap_mld_addr or link 0 BSS
is valid, since we clear sdata->vif.valid_links and then don't
add the ap_mld_addr to the struct.
Since we clear also sdata->vif.cfg.ap_addr, keep a local copy of
it and assign it earlier, before clearing valid_links, to fix
this.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c695dfba8dfb82dc7ace4f22be088916cbf621ca",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "bb7743955a929e44b308cc3f63f8cc03873c1bee",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "78a6a43aaf87180ec7425a2a90468e1b4d09a1ec",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mlme: fix null-ptr deref on failed assoc\n\nIf association to an AP without a link 0 fails, then we crash in\ntracing because it assumes that either ap_mld_addr or link 0 BSS\nis valid, since we clear sdata-\u003evif.valid_links and then don\u0027t\nadd the ap_mld_addr to the struct.\n\nSince we clear also sdata-\u003evif.cfg.ap_addr, keep a local copy of\nit and assign it earlier, before clearing valid_links, to fix\nthis."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:23.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c695dfba8dfb82dc7ace4f22be088916cbf621ca"
},
{
"url": "https://git.kernel.org/stable/c/bb7743955a929e44b308cc3f63f8cc03873c1bee"
},
{
"url": "https://git.kernel.org/stable/c/78a6a43aaf87180ec7425a2a90468e1b4d09a1ec"
}
],
"title": "wifi: mac80211: mlme: fix null-ptr deref on failed assoc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50533",
"datePublished": "2025-10-07T15:19:23.277Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:23.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53665 (GCVE-0-2023-53665)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: don't dereference mddev after export_rdev()
Except for initial reference, mddev->kobject is referenced by
rdev->kobject, and if the last rdev is freed, there is no guarantee that
mddev is still valid. Hence mddev should not be used anymore after
export_rdev().
This problem can be triggered by following test for mdadm at very
low rate:
New file: mdadm/tests/23rdev-lifetime
devname=${dev0##*/}
devt=`cat /sys/block/$devname/dev`
pid=""
runtime=2
clean_up_test() {
pill -9 $pid
echo clear > /sys/block/md0/md/array_state
}
trap 'clean_up_test' EXIT
add_by_sysfs() {
while true; do
echo $devt > /sys/block/md0/md/new_dev
done
}
remove_by_sysfs(){
while true; do
echo remove > /sys/block/md0/md/dev-${devname}/state
done
}
echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"
add_by_sysfs &
pid="$pid $!"
remove_by_sysfs &
pid="$pid $!"
sleep $runtime
exit 0
Test cmd:
./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime
Test result:
general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP
CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562
RIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]
Call Trace:
<TASK>
mddev_unlock+0x1b6/0x310 [md_mod]
rdev_attr_store+0xec/0x190 [md_mod]
sysfs_kf_write+0x52/0x70
kernfs_fop_write_iter+0x19a/0x2a0
vfs_write+0x3b5/0x770
ksys_write+0x74/0x150
__x64_sys_write+0x22/0x30
do_syscall_64+0x40/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fix this problem by don't dereference mddev after export_rdev().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad430ad0669d2757377373390d68e1454fc7a344",
"status": "affected",
"version": "3ce94ce5d05ae89190a23f6187f64d8f4b2d3782",
"versionType": "git"
},
{
"lessThan": "7deac114be5fb25a4e865212ed0feaf5f85f2a28",
"status": "affected",
"version": "3ce94ce5d05ae89190a23f6187f64d8f4b2d3782",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: don\u0027t dereference mddev after export_rdev()\n\nExcept for initial reference, mddev-\u003ekobject is referenced by\nrdev-\u003ekobject, and if the last rdev is freed, there is no guarantee that\nmddev is still valid. Hence mddev should not be used anymore after\nexport_rdev().\n\nThis problem can be triggered by following test for mdadm at very\nlow rate:\n\nNew file: mdadm/tests/23rdev-lifetime\n\ndevname=${dev0##*/}\ndevt=`cat /sys/block/$devname/dev`\npid=\"\"\nruntime=2\n\nclean_up_test() {\n pill -9 $pid\n echo clear \u003e /sys/block/md0/md/array_state\n}\n\ntrap \u0027clean_up_test\u0027 EXIT\n\nadd_by_sysfs() {\n while true; do\n echo $devt \u003e /sys/block/md0/md/new_dev\n done\n}\n\nremove_by_sysfs(){\n while true; do\n echo remove \u003e /sys/block/md0/md/dev-${devname}/state\n done\n}\n\necho md0 \u003e /sys/module/md_mod/parameters/new_array || die \"create md0 failed\"\n\nadd_by_sysfs \u0026\npid=\"$pid $!\"\n\nremove_by_sysfs \u0026\npid=\"$pid $!\"\n\nsleep $runtime\nexit 0\n\nTest cmd:\n\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\n\nTest result:\n\ngeneral protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP\nCPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562\nRIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]\nCall Trace:\n \u003cTASK\u003e\n mddev_unlock+0x1b6/0x310 [md_mod]\n rdev_attr_store+0xec/0x190 [md_mod]\n sysfs_kf_write+0x52/0x70\n kernfs_fop_write_iter+0x19a/0x2a0\n vfs_write+0x3b5/0x770\n ksys_write+0x74/0x150\n __x64_sys_write+0x22/0x30\n do_syscall_64+0x40/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFix this problem by don\u0027t dereference mddev after export_rdev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:23.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad430ad0669d2757377373390d68e1454fc7a344"
},
{
"url": "https://git.kernel.org/stable/c/7deac114be5fb25a4e865212ed0feaf5f85f2a28"
}
],
"title": "md: don\u0027t dereference mddev after export_rdev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53665",
"datePublished": "2025-10-07T15:21:23.808Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:23.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53680 (GCVE-0-2023-53680)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL
OPDESC() simply indexes into nfsd4_ops[] by the op's operation
number, without range checking that value. It assumes callers are
careful to avoid calling it with an out-of-bounds opnum value.
nfsd4_decode_compound() is not so careful, and can invoke OPDESC()
with opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end
of nfsd4_ops[].
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50827896c365e0f6c8b55ed56d444dafd87c92c5",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "a64160124d5a078be0c380b1e8a0bad2d040d3a1",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "ffcbcf087581ae68ddc0a21460f7ecd4315bdd0e",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "f352c41fa718482979e7e6b71b4da2b718e381cc",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "804d8e0a6e54427268790472781e03bc243f4ee3",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.220",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Avoid calling OPDESC() with ops-\u003eopnum == OP_ILLEGAL\n\nOPDESC() simply indexes into nfsd4_ops[] by the op\u0027s operation\nnumber, without range checking that value. It assumes callers are\ncareful to avoid calling it with an out-of-bounds opnum value.\n\nnfsd4_decode_compound() is not so careful, and can invoke OPDESC()\nwith opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end\nof nfsd4_ops[]."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:34.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50827896c365e0f6c8b55ed56d444dafd87c92c5"
},
{
"url": "https://git.kernel.org/stable/c/a64160124d5a078be0c380b1e8a0bad2d040d3a1"
},
{
"url": "https://git.kernel.org/stable/c/ffcbcf087581ae68ddc0a21460f7ecd4315bdd0e"
},
{
"url": "https://git.kernel.org/stable/c/f352c41fa718482979e7e6b71b4da2b718e381cc"
},
{
"url": "https://git.kernel.org/stable/c/804d8e0a6e54427268790472781e03bc243f4ee3"
}
],
"title": "NFSD: Avoid calling OPDESC() with ops-\u003eopnum == OP_ILLEGAL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53680",
"datePublished": "2025-10-07T15:21:34.626Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:34.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53630 (GCVE-0-2023-53630)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Fix unpinning of pages when an access is present
syzkaller found that the calculation of batch_last_index should use
'start_index' since at input to this function the batch is either empty or
it has already been adjusted to cross any accesses so it will start at the
point we are unmapping from.
Getting this wrong causes the unmap to run over the end of the pages
which corrupts pages that were never mapped. In most cases this triggers
the num pinned debugging:
WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560
Modules linked in:
CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__iopt_area_unfill_domain+0x152/0x560
Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff <0f> 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54
RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85
RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002
RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014
R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004
R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800
FS: 00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<TASK>
iopt_area_unfill_domain+0x32/0x40
iopt_table_remove_domain+0x23f/0x4c0
iommufd_device_selftest_detach+0x3a/0x90
iommufd_selftest_destroy+0x55/0x70
iommufd_object_destroy_user+0xce/0x130
iommufd_destroy+0xa2/0xc0
iommufd_fops_ioctl+0x206/0x330
__x64_sys_ioctl+0x10e/0x160
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Also add some useful WARN_ON sanity checks.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/pages.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70726ce4d898db57bfc4ae30ecd7da63b0dd0aa4",
"status": "affected",
"version": "8d160cd4d5066f864ec0f2c981470e55ac03ac27",
"versionType": "git"
},
{
"lessThan": "727c28c1cef2bc013d2c8bb6c50e410a3882a04e",
"status": "affected",
"version": "8d160cd4d5066f864ec0f2c981470e55ac03ac27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/pages.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix unpinning of pages when an access is present\n\nsyzkaller found that the calculation of batch_last_index should use\n\u0027start_index\u0027 since at input to this function the batch is either empty or\nit has already been adjusted to cross any accesses so it will start at the\npoint we are unmapping from.\n\nGetting this wrong causes the unmap to run over the end of the pages\nwhich corrupts pages that were never mapped. In most cases this triggers\nthe num pinned debugging:\n\n WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560\n Modules linked in:\n CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__iopt_area_unfill_domain+0x152/0x560\n Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff \u003c0f\u003e 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54\n RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85\n RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002\n RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014\n R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004\n R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800\n FS: 00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n iopt_area_unfill_domain+0x32/0x40\n iopt_table_remove_domain+0x23f/0x4c0\n iommufd_device_selftest_detach+0x3a/0x90\n iommufd_selftest_destroy+0x55/0x70\n iommufd_object_destroy_user+0xce/0x130\n iommufd_destroy+0xa2/0xc0\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nAlso add some useful WARN_ON sanity checks."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:33.623Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70726ce4d898db57bfc4ae30ecd7da63b0dd0aa4"
},
{
"url": "https://git.kernel.org/stable/c/727c28c1cef2bc013d2c8bb6c50e410a3882a04e"
}
],
"title": "iommufd: Fix unpinning of pages when an access is present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53630",
"datePublished": "2025-10-07T15:19:33.623Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:33.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53627 (GCVE-0-2023-53627)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list
When freeing slots in function slot_complete_v3_hw(), it is possible that
sas_dev.list is being traversed elsewhere, and it may trigger a NULL
pointer exception, such as follows:
==>cq thread ==>scsi_eh_6
==>scsi_error_handler()
==>sas_eh_handle_sas_errors()
==>sas_scsi_find_task()
==>lldd_abort_task()
==>slot_complete_v3_hw() ==>hisi_sas_abort_task()
==>hisi_sas_slot_task_free() ==>dereg_device_v3_hw()
==>list_del_init() ==>list_for_each_entry_safe()
[ 7165.434918] sas: Enter sas_scsi_recover_host busy: 32 failed: 32
[ 7165.434926] sas: trying to find task 0x00000000769b5ba5
[ 7165.434927] sas: sas_scsi_find_task: aborting task 0x00000000769b5ba5
[ 7165.434940] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000769b5ba5) aborted
[ 7165.434964] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000c9f7aa07) ignored
[ 7165.434965] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000e2a1cf01) ignored
[ 7165.434968] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 7165.434972] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000022d52d93) ignored
[ 7165.434975] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000066a7516c) ignored
[ 7165.434976] Mem abort info:
[ 7165.434982] ESR = 0x96000004
[ 7165.434991] Exception class = DABT (current EL), IL = 32 bits
[ 7165.434992] SET = 0, FnV = 0
[ 7165.434993] EA = 0, S1PTW = 0
[ 7165.434994] Data abort info:
[ 7165.434994] ISV = 0, ISS = 0x00000004
[ 7165.434995] CM = 0, WnR = 0
[ 7165.434997] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f29543f2
[ 7165.434998] [0000000000000000] pgd=0000000000000000
[ 7165.435003] Internal error: Oops: 96000004 [#1] SMP
[ 7165.439863] Process scsi_eh_6 (pid: 4109, stack limit = 0x00000000c43818d5)
[ 7165.468862] pstate: 00c00009 (nzcv daif +PAN +UAO)
[ 7165.473637] pc : dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw]
[ 7165.479443] lr : dereg_device_v3_hw+0x2c/0xa8 [hisi_sas_v3_hw]
[ 7165.485247] sp : ffff00001d623bc0
[ 7165.488546] x29: ffff00001d623bc0 x28: ffffa027d03b9508
[ 7165.493835] x27: ffff80278ed50af0 x26: ffffa027dd31e0a8
[ 7165.499123] x25: ffffa027d9b27f88 x24: ffffa027d9b209f8
[ 7165.504411] x23: ffffa027c45b0d60 x22: ffff80278ec07c00
[ 7165.509700] x21: 0000000000000008 x20: ffffa027d9b209f8
[ 7165.514988] x19: ffffa027d9b27f88 x18: ffffffffffffffff
[ 7165.520276] x17: 0000000000000000 x16: 0000000000000000
[ 7165.525564] x15: ffff0000091d9708 x14: ffff0000093b7dc8
[ 7165.530852] x13: ffff0000093b7a23 x12: 6e7265746e692067
[ 7165.536140] x11: 0000000000000000 x10: 0000000000000bb0
[ 7165.541429] x9 : ffff00001d6238f0 x8 : ffffa027d877af00
[ 7165.546718] x7 : ffffa027d6329600 x6 : ffff7e809f58ca00
[ 7165.552006] x5 : 0000000000001f8a x4 : 000000000000088e
[ 7165.557295] x3 : ffffa027d9b27fa8 x2 : 0000000000000000
[ 7165.562583] x1 : 0000000000000000 x0 : 000000003000188e
[ 7165.567872] Call trace:
[ 7165.570309] dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw]
[ 7165.575775] hisi_sas_abort_task+0x248/0x358 [hisi_sas_main]
[ 7165.581415] sas_eh_handle_sas_errors+0x258/0x8e0 [libsas]
[ 7165.586876] sas_scsi_recover_host+0x134/0x458 [libsas]
[ 7165.592082] scsi_error_handler+0xb4/0x488
[ 7165.596163] kthread+0x134/0x138
[ 7165.599380] ret_from_fork+0x10/0x18
[ 7165.602940] Code: d5033e9f b9000040 aa0103e2 eb03003f (f9400021)
[ 7165.609004] kernel fault(0x1) notification starting on CPU 75
[ 7165.700728] ---[ end trace fc042cbbea224efc ]---
[ 7165.705326] Kernel panic - not syncing: Fatal exception
To fix the issue, grab sas_dev lock when traversing the members of
sas_dev.list in dereg_device_v3_hw() and hisi_sas_release_tasks() to avoid
concurrency of adding and deleting member. When
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hisi_sas/hisi_sas.h",
"drivers/scsi/hisi_sas/hisi_sas_main.c",
"drivers/scsi/hisi_sas/hisi_sas_v1_hw.c",
"drivers/scsi/hisi_sas/hisi_sas_v2_hw.c",
"drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e2a40b3a332ea84079983be21c944de8ddbc4f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "71fb36b5ff113a7674710b9d6063241eada84ff7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hisi_sas/hisi_sas.h",
"drivers/scsi/hisi_sas/hisi_sas_main.c",
"drivers/scsi/hisi_sas/hisi_sas_v1_hw.c",
"drivers/scsi/hisi_sas/hisi_sas_v2_hw.c",
"drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list\n\nWhen freeing slots in function slot_complete_v3_hw(), it is possible that\nsas_dev.list is being traversed elsewhere, and it may trigger a NULL\npointer exception, such as follows:\n\n==\u003ecq thread ==\u003escsi_eh_6\n\n ==\u003escsi_error_handler()\n\t\t\t\t ==\u003esas_eh_handle_sas_errors()\n\t\t\t\t ==\u003esas_scsi_find_task()\n\t\t\t\t ==\u003elldd_abort_task()\n==\u003eslot_complete_v3_hw() ==\u003ehisi_sas_abort_task()\n ==\u003ehisi_sas_slot_task_free()\t ==\u003edereg_device_v3_hw()\n ==\u003elist_del_init() \t\t ==\u003elist_for_each_entry_safe()\n\n[ 7165.434918] sas: Enter sas_scsi_recover_host busy: 32 failed: 32\n[ 7165.434926] sas: trying to find task 0x00000000769b5ba5\n[ 7165.434927] sas: sas_scsi_find_task: aborting task 0x00000000769b5ba5\n[ 7165.434940] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000769b5ba5) aborted\n[ 7165.434964] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000c9f7aa07) ignored\n[ 7165.434965] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000e2a1cf01) ignored\n[ 7165.434968] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 7165.434972] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000022d52d93) ignored\n[ 7165.434975] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000066a7516c) ignored\n[ 7165.434976] Mem abort info:\n[ 7165.434982] ESR = 0x96000004\n[ 7165.434991] Exception class = DABT (current EL), IL = 32 bits\n[ 7165.434992] SET = 0, FnV = 0\n[ 7165.434993] EA = 0, S1PTW = 0\n[ 7165.434994] Data abort info:\n[ 7165.434994] ISV = 0, ISS = 0x00000004\n[ 7165.434995] CM = 0, WnR = 0\n[ 7165.434997] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f29543f2\n[ 7165.434998] [0000000000000000] pgd=0000000000000000\n[ 7165.435003] Internal error: Oops: 96000004 [#1] SMP\n[ 7165.439863] Process scsi_eh_6 (pid: 4109, stack limit = 0x00000000c43818d5)\n[ 7165.468862] pstate: 00c00009 (nzcv daif +PAN +UAO)\n[ 7165.473637] pc : dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw]\n[ 7165.479443] lr : dereg_device_v3_hw+0x2c/0xa8 [hisi_sas_v3_hw]\n[ 7165.485247] sp : ffff00001d623bc0\n[ 7165.488546] x29: ffff00001d623bc0 x28: ffffa027d03b9508\n[ 7165.493835] x27: ffff80278ed50af0 x26: ffffa027dd31e0a8\n[ 7165.499123] x25: ffffa027d9b27f88 x24: ffffa027d9b209f8\n[ 7165.504411] x23: ffffa027c45b0d60 x22: ffff80278ec07c00\n[ 7165.509700] x21: 0000000000000008 x20: ffffa027d9b209f8\n[ 7165.514988] x19: ffffa027d9b27f88 x18: ffffffffffffffff\n[ 7165.520276] x17: 0000000000000000 x16: 0000000000000000\n[ 7165.525564] x15: ffff0000091d9708 x14: ffff0000093b7dc8\n[ 7165.530852] x13: ffff0000093b7a23 x12: 6e7265746e692067\n[ 7165.536140] x11: 0000000000000000 x10: 0000000000000bb0\n[ 7165.541429] x9 : ffff00001d6238f0 x8 : ffffa027d877af00\n[ 7165.546718] x7 : ffffa027d6329600 x6 : ffff7e809f58ca00\n[ 7165.552006] x5 : 0000000000001f8a x4 : 000000000000088e\n[ 7165.557295] x3 : ffffa027d9b27fa8 x2 : 0000000000000000\n[ 7165.562583] x1 : 0000000000000000 x0 : 000000003000188e\n[ 7165.567872] Call trace:\n[ 7165.570309] dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw]\n[ 7165.575775] hisi_sas_abort_task+0x248/0x358 [hisi_sas_main]\n[ 7165.581415] sas_eh_handle_sas_errors+0x258/0x8e0 [libsas]\n[ 7165.586876] sas_scsi_recover_host+0x134/0x458 [libsas]\n[ 7165.592082] scsi_error_handler+0xb4/0x488\n[ 7165.596163] kthread+0x134/0x138\n[ 7165.599380] ret_from_fork+0x10/0x18\n[ 7165.602940] Code: d5033e9f b9000040 aa0103e2 eb03003f (f9400021)\n[ 7165.609004] kernel fault(0x1) notification starting on CPU 75\n[ 7165.700728] ---[ end trace fc042cbbea224efc ]---\n[ 7165.705326] Kernel panic - not syncing: Fatal exception\n\nTo fix the issue, grab sas_dev lock when traversing the members of\nsas_dev.list in dereg_device_v3_hw() and hisi_sas_release_tasks() to avoid\nconcurrency of adding and deleting member. When \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:31.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e2a40b3a332ea84079983be21c944de8ddbc4f3"
},
{
"url": "https://git.kernel.org/stable/c/71fb36b5ff113a7674710b9d6063241eada84ff7"
}
],
"title": "scsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53627",
"datePublished": "2025-10-07T15:19:31.591Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:31.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50541 (GCVE-0-2022-50541)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-30 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow
UDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics.
These registers are 32-bit hardware counters and the driver uses these
counters to monitor the operational progress status for a channel, when
transferring more than 4GB of data it was observed that these counters
overflow and completion calculation of a operation gets affected and the
transfer hangs indefinitely.
This commit adds changes to decrease the byte count for every complete
transaction so that these registers never overflow and the proper byte
count statistics is maintained for ongoing transaction by the RT counters.
Earlier uc->bcnt used to maintain a count of the completed bytes at driver
side, since the RT counters maintain the statistics of current transaction
now, the maintenance of uc->bcnt is not necessary.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/k3-udma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d68da10b0cceb4177b653833e794b2923a4ffbd7",
"status": "affected",
"version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94",
"versionType": "git"
},
{
"lessThan": "e0b16bfbd3a4a8d09614046335f4482313e7c0c4",
"status": "affected",
"version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94",
"versionType": "git"
},
{
"lessThan": "a065657643a62a24b4435ddcaea45f1e9378749e",
"status": "affected",
"version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94",
"versionType": "git"
},
{
"lessThan": "7c94dcfa8fcff2dba53915f1dabfee49a3df8b88",
"status": "affected",
"version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/k3-udma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow\n\nUDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics.\nThese registers are 32-bit hardware counters and the driver uses these\ncounters to monitor the operational progress status for a channel, when\ntransferring more than 4GB of data it was observed that these counters\noverflow and completion calculation of a operation gets affected and the\ntransfer hangs indefinitely.\n\nThis commit adds changes to decrease the byte count for every complete\ntransaction so that these registers never overflow and the proper byte\ncount statistics is maintained for ongoing transaction by the RT counters.\n\nEarlier uc-\u003ebcnt used to maintain a count of the completed bytes at driver\nside, since the RT counters maintain the statistics of current transaction\nnow, the maintenance of uc-\u003ebcnt is not necessary."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T19:33:04.866Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d68da10b0cceb4177b653833e794b2923a4ffbd7"
},
{
"url": "https://git.kernel.org/stable/c/e0b16bfbd3a4a8d09614046335f4482313e7c0c4"
},
{
"url": "https://git.kernel.org/stable/c/a065657643a62a24b4435ddcaea45f1e9378749e"
},
{
"url": "https://git.kernel.org/stable/c/7c94dcfa8fcff2dba53915f1dabfee49a3df8b88"
}
],
"title": "dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50541",
"datePublished": "2025-10-07T15:21:06.548Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-30T19:33:04.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53633 (GCVE-0-2023-53633)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Fix a leak in map_user_pages()
If get_user_pages_fast() allocates some pages but not as many as we
wanted, then the current code leaks those pages. Call put_page() on
the pages before returning.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cdcba752a3d48fbe6f05cf2c91ab9497c8daad0c",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
},
{
"lessThan": "73274c33d961f4aa0f968f763e2c9f4210b4f4a3",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix a leak in map_user_pages()\n\nIf get_user_pages_fast() allocates some pages but not as many as we\nwanted, then the current code leaks those pages. Call put_page() on\nthe pages before returning."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:35.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cdcba752a3d48fbe6f05cf2c91ab9497c8daad0c"
},
{
"url": "https://git.kernel.org/stable/c/73274c33d961f4aa0f968f763e2c9f4210b4f4a3"
}
],
"title": "accel/qaic: Fix a leak in map_user_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53633",
"datePublished": "2025-10-07T15:19:35.647Z",
"dateReserved": "2025-10-07T15:16:59.657Z",
"dateUpdated": "2025-10-07T15:19:35.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53644 (GCVE-0-2023-53644)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: radio-shark: Add endpoint checks
The syzbot fuzzer was able to provoke a WARNING from the radio-shark2
driver:
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc90003876dd0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac
RBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200
FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387
shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88
...
The problem was caused by the fact that the driver does not check
whether the endpoints it uses are actually present and have the
appropriate types. This can be fixed by adding a simple check of
these endpoints (and similarly for the radio-shark driver).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/radio-shark.c",
"drivers/media/radio/radio-shark2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ed6a312ac1e7278f92b1b3d95377b335ae21e89",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "afd72825b4fcb7ae4015e1c93b054f4c37a25684",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2b580d0f03c4fc00013cd08f9ed96b87a08fd0d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a30dce9d7f70f8438956f6a01142b926c301334",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1bde4b4360c3d8a35504443efabd3243b802805",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53764a17f5d8f0d00b13297d06b5e65fa844288b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c3057a1927fa0b9ed8948b6f3b56b4ff9fa63d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76e31045ba030e94e72105c01b2e98f543d175ac",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/radio-shark.c",
"drivers/media/radio/radio-shark2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: radio-shark: Add endpoint checks\n\nThe syzbot fuzzer was able to provoke a WARNING from the radio-shark2\ndriver:\n\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504\nModules linked in:\nCPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504\nCode: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 \u003c0f\u003e 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7\nRSP: 0018:ffffc90003876dd0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000\nRDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac\nRBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001\nR13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200\nFS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387\n shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88\n...\n\nThe problem was caused by the fact that the driver does not check\nwhether the endpoints it uses are actually present and have the\nappropriate types. This can be fixed by adding a simple check of\nthese endpoints (and similarly for the radio-shark driver)."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:43.049Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ed6a312ac1e7278f92b1b3d95377b335ae21e89"
},
{
"url": "https://git.kernel.org/stable/c/afd72825b4fcb7ae4015e1c93b054f4c37a25684"
},
{
"url": "https://git.kernel.org/stable/c/2b580d0f03c4fc00013cd08f9ed96b87a08fd0d9"
},
{
"url": "https://git.kernel.org/stable/c/8a30dce9d7f70f8438956f6a01142b926c301334"
},
{
"url": "https://git.kernel.org/stable/c/b1bde4b4360c3d8a35504443efabd3243b802805"
},
{
"url": "https://git.kernel.org/stable/c/53764a17f5d8f0d00b13297d06b5e65fa844288b"
},
{
"url": "https://git.kernel.org/stable/c/4c3057a1927fa0b9ed8948b6f3b56b4ff9fa63d3"
},
{
"url": "https://git.kernel.org/stable/c/76e31045ba030e94e72105c01b2e98f543d175ac"
}
],
"title": "media: radio-shark: Add endpoint checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53644",
"datePublished": "2025-10-07T15:19:43.049Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:43.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53654 (GCVE-0-2023-53654)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-af: Add validation before accessing cgx and lmac
with the addition of new MAC blocks like CN10K RPM and CN10KB
RPM_USX, LMACs are noncontiguous and CGX blocks are also
noncontiguous. But during RVU driver initialization, the driver
is assuming they are contiguous and trying to access
cgx or lmac with their id which is resulting in kernel panic.
This patch fixes the issue by adding proper checks.
[ 23.219150] pc : cgx_lmac_read+0x38/0x70
[ 23.219154] lr : rvu_program_channels+0x3f0/0x498
[ 23.223852] sp : ffff000100d6fc80
[ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27:
000000000000005a
[ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24:
fffffffffff0f000
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/af/cgx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e425e2ba933618ee5ec8e4f3eb341efeb6c9ddef",
"status": "affected",
"version": "91c6945ea1f9059fea886630d0fd8070740e2aaf",
"versionType": "git"
},
{
"lessThan": "a5485a943193e55c79150382e6461e8ea759e96e",
"status": "affected",
"version": "91c6945ea1f9059fea886630d0fd8070740e2aaf",
"versionType": "git"
},
{
"lessThan": "b04872e15f3df62cb2fd530950f769626e1ef489",
"status": "affected",
"version": "91c6945ea1f9059fea886630d0fd8070740e2aaf",
"versionType": "git"
},
{
"lessThan": "79ebb53772c95d3a6ae51b3c65f9985fdd430df6",
"status": "affected",
"version": "91c6945ea1f9059fea886630d0fd8070740e2aaf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/af/cgx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Add validation before accessing cgx and lmac\n\nwith the addition of new MAC blocks like CN10K RPM and CN10KB\nRPM_USX, LMACs are noncontiguous and CGX blocks are also\nnoncontiguous. But during RVU driver initialization, the driver\nis assuming they are contiguous and trying to access\ncgx or lmac with their id which is resulting in kernel panic.\n\nThis patch fixes the issue by adding proper checks.\n\n[ 23.219150] pc : cgx_lmac_read+0x38/0x70\n[ 23.219154] lr : rvu_program_channels+0x3f0/0x498\n[ 23.223852] sp : ffff000100d6fc80\n[ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27:\n000000000000005a\n[ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24:\nfffffffffff0f000"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:49.985Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e425e2ba933618ee5ec8e4f3eb341efeb6c9ddef"
},
{
"url": "https://git.kernel.org/stable/c/a5485a943193e55c79150382e6461e8ea759e96e"
},
{
"url": "https://git.kernel.org/stable/c/b04872e15f3df62cb2fd530950f769626e1ef489"
},
{
"url": "https://git.kernel.org/stable/c/79ebb53772c95d3a6ae51b3c65f9985fdd430df6"
}
],
"title": "octeontx2-af: Add validation before accessing cgx and lmac",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53654",
"datePublished": "2025-10-07T15:19:49.985Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:19:49.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53651 (GCVE-0-2023-53651)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: exc3000 - properly stop timer on shutdown
We need to stop the timer on driver unbind or probe failures, otherwise
we get UAF/Oops.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/exc3000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "526a177ac6353d65057eadb5d6edafc168f64484",
"status": "affected",
"version": "7e577a17f2eefeef32f1106ebf91e7cd143ba654",
"versionType": "git"
},
{
"lessThan": "bee57c20fc0ca5ef9b9a53a0335eab2ac9e9cae1",
"status": "affected",
"version": "7e577a17f2eefeef32f1106ebf91e7cd143ba654",
"versionType": "git"
},
{
"lessThan": "79c81d137d36f9635bbcbc3916c0cccb418a61dd",
"status": "affected",
"version": "7e577a17f2eefeef32f1106ebf91e7cd143ba654",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/exc3000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.20",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: exc3000 - properly stop timer on shutdown\n\nWe need to stop the timer on driver unbind or probe failures, otherwise\nwe get UAF/Oops."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:47.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/526a177ac6353d65057eadb5d6edafc168f64484"
},
{
"url": "https://git.kernel.org/stable/c/bee57c20fc0ca5ef9b9a53a0335eab2ac9e9cae1"
},
{
"url": "https://git.kernel.org/stable/c/79c81d137d36f9635bbcbc3916c0cccb418a61dd"
}
],
"title": "Input: exc3000 - properly stop timer on shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53651",
"datePublished": "2025-10-07T15:19:47.832Z",
"dateReserved": "2025-10-07T15:16:59.660Z",
"dateUpdated": "2025-10-07T15:19:47.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50542 (GCVE-0-2022-50542)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: si470x: Fix use-after-free in si470x_int_in_callback()
syzbot reported use-after-free in si470x_int_in_callback() [1]. This
indicates that urb->context, which contains struct si470x_device
object, is freed when si470x_int_in_callback() is called.
The cause of this issue is that si470x_int_in_callback() is called for
freed urb.
si470x_usb_driver_probe() calls si470x_start_usb(), which then calls
usb_submit_urb() and si470x_start(). If si470x_start_usb() fails,
si470x_usb_driver_probe() doesn't kill urb, but it just frees struct
si470x_device object, as depicted below:
si470x_usb_driver_probe()
...
si470x_start_usb()
...
usb_submit_urb()
retval = si470x_start()
return retval
if (retval < 0)
free struct si470x_device object, but don't kill urb
This patch fixes this issue by killing urb when si470x_start_usb()
fails and urb is submitted. If si470x_start_usb() fails and urb is
not submitted, i.e. submitting usb fails, it just frees struct
si470x_device object.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/si470x/radio-si470x-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "146bd005ebb01ae190c22af050cb98623958c373",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8c6151b8e8dd2d98ad2cd725d26d1e103d989891",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "52f54fe78cca24850a30865037250f63eb3d5bf7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0ca298d548461d29615f9a2b1309e8dcf4a352c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1c6447d0fc68650e51586dde79b5090d9d77f13a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c8aee0c8fcc6dda94315f7908e8fa9bc75abe75",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "63648a7bd1a7599bcc2040a6d1792363ae4c2e1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "92b0888398e4ba51d93b618a6506781f4e3879c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d21e0b1b41b21d628bf2afce777727bd4479aa5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/si470x/radio-si470x-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: si470x: Fix use-after-free in si470x_int_in_callback()\n\nsyzbot reported use-after-free in si470x_int_in_callback() [1]. This\nindicates that urb-\u003econtext, which contains struct si470x_device\nobject, is freed when si470x_int_in_callback() is called.\n\nThe cause of this issue is that si470x_int_in_callback() is called for\nfreed urb.\n\nsi470x_usb_driver_probe() calls si470x_start_usb(), which then calls\nusb_submit_urb() and si470x_start(). If si470x_start_usb() fails,\nsi470x_usb_driver_probe() doesn\u0027t kill urb, but it just frees struct\nsi470x_device object, as depicted below:\n\nsi470x_usb_driver_probe()\n ...\n si470x_start_usb()\n ...\n usb_submit_urb()\n retval = si470x_start()\n return retval\n if (retval \u003c 0)\n free struct si470x_device object, but don\u0027t kill urb\n\nThis patch fixes this issue by killing urb when si470x_start_usb()\nfails and urb is submitted. If si470x_start_usb() fails and urb is\nnot submitted, i.e. submitting usb fails, it just frees struct\nsi470x_device object."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:07.236Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/146bd005ebb01ae190c22af050cb98623958c373"
},
{
"url": "https://git.kernel.org/stable/c/8c6151b8e8dd2d98ad2cd725d26d1e103d989891"
},
{
"url": "https://git.kernel.org/stable/c/52f54fe78cca24850a30865037250f63eb3d5bf7"
},
{
"url": "https://git.kernel.org/stable/c/0ca298d548461d29615f9a2b1309e8dcf4a352c6"
},
{
"url": "https://git.kernel.org/stable/c/1c6447d0fc68650e51586dde79b5090d9d77f13a"
},
{
"url": "https://git.kernel.org/stable/c/6c8aee0c8fcc6dda94315f7908e8fa9bc75abe75"
},
{
"url": "https://git.kernel.org/stable/c/63648a7bd1a7599bcc2040a6d1792363ae4c2e1b"
},
{
"url": "https://git.kernel.org/stable/c/92b0888398e4ba51d93b618a6506781f4e3879c9"
},
{
"url": "https://git.kernel.org/stable/c/7d21e0b1b41b21d628bf2afce777727bd4479aa5"
}
],
"title": "media: si470x: Fix use-after-free in si470x_int_in_callback()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50542",
"datePublished": "2025-10-07T15:21:07.236Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:07.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50540 (GCVE-0-2022-50540)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom-adm: fix wrong sizeof config in slave_config
Fix broken slave_config function that uncorrectly compare the
peripheral_size with the size of the config pointer instead of the size
of the config struct. This cause the crci value to be ignored and cause
a kernel panic on any slave that use adm driver.
To fix this, compare to the size of the struct and NOT the size of the
pointer.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/qcom_adm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1dd45a6585a1689e1e8906b3f9e302b9d40c715",
"status": "affected",
"version": "03de6b273805b3c552ff158f8688555937375926",
"versionType": "git"
},
{
"lessThan": "7490274b41a432824f7df5071ace3df2ab59caa7",
"status": "affected",
"version": "03de6b273805b3c552ff158f8688555937375926",
"versionType": "git"
},
{
"lessThan": "7c8765308371be30f50c1b5b97618b731514b207",
"status": "affected",
"version": "03de6b273805b3c552ff158f8688555937375926",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/qcom_adm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom-adm: fix wrong sizeof config in slave_config\n\nFix broken slave_config function that uncorrectly compare the\nperipheral_size with the size of the config pointer instead of the size\nof the config struct. This cause the crci value to be ignored and cause\na kernel panic on any slave that use adm driver.\n\nTo fix this, compare to the size of the struct and NOT the size of the\npointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:05.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1dd45a6585a1689e1e8906b3f9e302b9d40c715"
},
{
"url": "https://git.kernel.org/stable/c/7490274b41a432824f7df5071ace3df2ab59caa7"
},
{
"url": "https://git.kernel.org/stable/c/7c8765308371be30f50c1b5b97618b731514b207"
}
],
"title": "dmaengine: qcom-adm: fix wrong sizeof config in slave_config",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50540",
"datePublished": "2025-10-07T15:21:05.836Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:05.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53650 (GCVE-0-2023-53650)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/omap/lcd_mipid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d97840bf5a388c6cbf6e46216887bf17be62acc2",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "7a8f9293bee51183023c5e37e7ebf0543cd2a134",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "9e3858f82e3ced1e990ef7116c3a16c84e62093e",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "ce6e0434e502abdf966164b7c72523fb5fe54635",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "716efd08985e3104031d1b655930b1f1c45fa8a7",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "3b4c21804076e461a6453ee4d09872172336aa1d",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "7cca0af3167dd9603da5fa6fff3392f8338e97e1",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "09ea1ae4a2ec17774892cfcff50f6d33dfa1e06f",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "79a3908d1ea6c35157a6d907b1a9d8ec06015e7a",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/omap/lcd_mipid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()\n\nIf \u0027mipid_detect()\u0027 fails, we must free \u0027md\u0027 to avoid a memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:47.118Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d97840bf5a388c6cbf6e46216887bf17be62acc2"
},
{
"url": "https://git.kernel.org/stable/c/7a8f9293bee51183023c5e37e7ebf0543cd2a134"
},
{
"url": "https://git.kernel.org/stable/c/9e3858f82e3ced1e990ef7116c3a16c84e62093e"
},
{
"url": "https://git.kernel.org/stable/c/ce6e0434e502abdf966164b7c72523fb5fe54635"
},
{
"url": "https://git.kernel.org/stable/c/716efd08985e3104031d1b655930b1f1c45fa8a7"
},
{
"url": "https://git.kernel.org/stable/c/3b4c21804076e461a6453ee4d09872172336aa1d"
},
{
"url": "https://git.kernel.org/stable/c/7cca0af3167dd9603da5fa6fff3392f8338e97e1"
},
{
"url": "https://git.kernel.org/stable/c/09ea1ae4a2ec17774892cfcff50f6d33dfa1e06f"
},
{
"url": "https://git.kernel.org/stable/c/79a3908d1ea6c35157a6d907b1a9d8ec06015e7a"
}
],
"title": "fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53650",
"datePublished": "2025-10-07T15:19:47.118Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:47.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53638 (GCVE-0-2023-53638)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeon_ep: cancel queued works in probe error path
If it fails to get the devices's MAC address, octep_probe exits while
leaving the delayed work intr_poll_task queued. When the work later
runs, it's a use after free.
Move the cancelation of intr_poll_task from octep_remove into
octep_device_cleanup. This does not change anything in the octep_remove
flow, but octep_device_cleanup is called also in the octep_probe error
path, where the cancelation is needed.
Note that the cancelation of ctrl_mbox_task has to follow
intr_poll_task's, because the ctrl_mbox_task may be queued by
intr_poll_task.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62312e2f6466b5f0a120542a38b410d88a34ed00",
"status": "affected",
"version": "24d4333233b378114106a1327d3d635a004f4387",
"versionType": "git"
},
{
"lessThan": "758c91078165ae641b698750a72eafe7968b3756",
"status": "affected",
"version": "24d4333233b378114106a1327d3d635a004f4387",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: cancel queued works in probe error path\n\nIf it fails to get the devices\u0027s MAC address, octep_probe exits while\nleaving the delayed work intr_poll_task queued. When the work later\nruns, it\u0027s a use after free.\n\nMove the cancelation of intr_poll_task from octep_remove into\noctep_device_cleanup. This does not change anything in the octep_remove\nflow, but octep_device_cleanup is called also in the octep_probe error\npath, where the cancelation is needed.\n\nNote that the cancelation of ctrl_mbox_task has to follow\nintr_poll_task\u0027s, because the ctrl_mbox_task may be queued by\nintr_poll_task."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:38.989Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62312e2f6466b5f0a120542a38b410d88a34ed00"
},
{
"url": "https://git.kernel.org/stable/c/758c91078165ae641b698750a72eafe7968b3756"
}
],
"title": "octeon_ep: cancel queued works in probe error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53638",
"datePublished": "2025-10-07T15:19:38.989Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:38.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53619 (GCVE-0-2023-53619)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
If nf_conntrack_init_start() fails (for example due to a
register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()
clean-up path frees the nf_ct_helper_hash map.
When built with NF_CONNTRACK=y, further netfilter modules (e.g:
netfilter_conntrack_ftp) can still be loaded and call
nf_conntrack_helpers_register(), independently of whether nf_conntrack
initialized correctly. This accesses the nf_ct_helper_hash dangling
pointer and causes a uaf, possibly leading to random memory corruption.
This patch guards nf_conntrack_helper_register() from accessing a freed
or uninitialized nf_ct_helper_hash pointer and fixes possible
uses-after-free when loading a conntrack module.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ee69c91cb8f9ca144bc0861969e5a1a3c6152a7",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "00716f25f9697d02a0d9bd622575c7c7321ba3d0",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "61c7a5256543ae7d24cd9d21853d514c8632e1e9",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "8289d422f5e484efe4a565fe18e862ecd621c175",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "6f03ce2f1abcb9f9d0511e3659ca6eb60e39f566",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "05561f822f27b9fa88fa5504ddec34bf38833034",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "fce5cc7cbd4b92f979bf02c9ec5fb69aaeba92d7",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "6eef7a2b933885a17679eb8ed0796ddf0ee5309b",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: Avoid nf_ct_helper_hash uses after free\n\nIf nf_conntrack_init_start() fails (for example due to a\nregister_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()\nclean-up path frees the nf_ct_helper_hash map.\n\nWhen built with NF_CONNTRACK=y, further netfilter modules (e.g:\nnetfilter_conntrack_ftp) can still be loaded and call\nnf_conntrack_helpers_register(), independently of whether nf_conntrack\ninitialized correctly. This accesses the nf_ct_helper_hash dangling\npointer and causes a uaf, possibly leading to random memory corruption.\n\nThis patch guards nf_conntrack_helper_register() from accessing a freed\nor uninitialized nf_ct_helper_hash pointer and fixes possible\nuses-after-free when loading a conntrack module."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:26.003Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ee69c91cb8f9ca144bc0861969e5a1a3c6152a7"
},
{
"url": "https://git.kernel.org/stable/c/00716f25f9697d02a0d9bd622575c7c7321ba3d0"
},
{
"url": "https://git.kernel.org/stable/c/61c7a5256543ae7d24cd9d21853d514c8632e1e9"
},
{
"url": "https://git.kernel.org/stable/c/8289d422f5e484efe4a565fe18e862ecd621c175"
},
{
"url": "https://git.kernel.org/stable/c/6f03ce2f1abcb9f9d0511e3659ca6eb60e39f566"
},
{
"url": "https://git.kernel.org/stable/c/05561f822f27b9fa88fa5504ddec34bf38833034"
},
{
"url": "https://git.kernel.org/stable/c/fce5cc7cbd4b92f979bf02c9ec5fb69aaeba92d7"
},
{
"url": "https://git.kernel.org/stable/c/6eef7a2b933885a17679eb8ed0796ddf0ee5309b"
}
],
"title": "netfilter: conntrack: Avoid nf_ct_helper_hash uses after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53619",
"datePublished": "2025-10-07T15:19:26.003Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:26.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50539 (GCVE-0-2022-50539)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: OMAP2+: omap4-common: Fix refcount leak bug
In omap4_sram_init(), of_find_compatible_node() will return a node
pointer with refcount incremented. We should use of_node_put() when
it is not used anymore.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-omap2/omap4-common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d9452ae3bdb830f9309cf10a2f65977999cb14e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "049875b76660bbdc4873a915afb294f954eb7320",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c32919a378782c95c72bc028b5c30dfe8c11f82",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-omap2/omap4-common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: omap4-common: Fix refcount leak bug\n\nIn omap4_sram_init(), of_find_compatible_node() will return a node\npointer with refcount incremented. We should use of_node_put() when\nit is not used anymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:05.152Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d9452ae3bdb830f9309cf10a2f65977999cb14e"
},
{
"url": "https://git.kernel.org/stable/c/049875b76660bbdc4873a915afb294f954eb7320"
},
{
"url": "https://git.kernel.org/stable/c/7c32919a378782c95c72bc028b5c30dfe8c11f82"
}
],
"title": "ARM: OMAP2+: omap4-common: Fix refcount leak bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50539",
"datePublished": "2025-10-07T15:21:05.152Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:05.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53682 (GCVE-0-2023-53682)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (xgene) Fix ioremap and memremap leak
Smatch reports:
drivers/hwmon/xgene-hwmon.c:757 xgene_hwmon_probe() warn:
'ctx->pcc_comm_addr' from ioremap() not released on line: 757.
This is because in drivers/hwmon/xgene-hwmon.c:701 xgene_hwmon_probe(),
ioremap and memremap is not released, which may cause a leak.
To fix this, ioremap and memremap is modified to devm_ioremap and
devm_memremap.
[groeck: Fixed formatting and subject]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/xgene-hwmon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d482a09acd3d5f61a56aefc125d32c81994707b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1773185a0a87006c1be78a978d9dd61aa7a33db8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "813cc94c7847ae4a17e9f744fb4dbdf7df6bd732",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/xgene-hwmon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (xgene) Fix ioremap and memremap leak\n\nSmatch reports:\n\ndrivers/hwmon/xgene-hwmon.c:757 xgene_hwmon_probe() warn:\n\u0027ctx-\u003epcc_comm_addr\u0027 from ioremap() not released on line: 757.\n\nThis is because in drivers/hwmon/xgene-hwmon.c:701 xgene_hwmon_probe(),\nioremap and memremap is not released, which may cause a leak.\n\nTo fix this, ioremap and memremap is modified to devm_ioremap and\ndevm_memremap.\n\n[groeck: Fixed formatting and subject]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:36.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d482a09acd3d5f61a56aefc125d32c81994707b"
},
{
"url": "https://git.kernel.org/stable/c/1773185a0a87006c1be78a978d9dd61aa7a33db8"
},
{
"url": "https://git.kernel.org/stable/c/813cc94c7847ae4a17e9f744fb4dbdf7df6bd732"
}
],
"title": "hwmon: (xgene) Fix ioremap and memremap leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53682",
"datePublished": "2025-10-07T15:21:36.020Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:36.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50544 (GCVE-0-2022-50544)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()
xhci_alloc_stream_info() allocates stream context array for stream_info
->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,
stream_info->stream_ctx_array is not released, which will lead to a
memory leak.
We can fix it by releasing the stream_info->stream_ctx_array with
xhci_free_stream_ctx() on the error path to avoid the potential memory
leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-mem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fc6bab3413e6a42bb1264ff7c9149808c93a4c7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e702de2f5c893bf2cdb0152191f99a6ad1411823",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ddab9fe76296840aad686c66888a9c1dfdbff5ff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9fa81cbd2dd300aa8fe9bac70e068b9a11cbb144",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91271a3e772e180bbb8afb114c72fd294a02f93d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fcd594da0b5955119d9707e4e0a8d0fb1c969101",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a40ad475236022f3432880e3091c380e46e71a71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "782c873f8e7686f5b3c47e8b099f7e08c3dd1fdc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7e271f42a5cc3768cd2622b929ba66859ae21f97",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-mem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()\n\nxhci_alloc_stream_info() allocates stream context array for stream_info\n-\u003estream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,\nstream_info-\u003estream_ctx_array is not released, which will lead to a\nmemory leak.\n\nWe can fix it by releasing the stream_info-\u003estream_ctx_array with\nxhci_free_stream_ctx() on the error path to avoid the potential memory\nleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:08.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fc6bab3413e6a42bb1264ff7c9149808c93a4c7"
},
{
"url": "https://git.kernel.org/stable/c/e702de2f5c893bf2cdb0152191f99a6ad1411823"
},
{
"url": "https://git.kernel.org/stable/c/ddab9fe76296840aad686c66888a9c1dfdbff5ff"
},
{
"url": "https://git.kernel.org/stable/c/9fa81cbd2dd300aa8fe9bac70e068b9a11cbb144"
},
{
"url": "https://git.kernel.org/stable/c/91271a3e772e180bbb8afb114c72fd294a02f93d"
},
{
"url": "https://git.kernel.org/stable/c/fcd594da0b5955119d9707e4e0a8d0fb1c969101"
},
{
"url": "https://git.kernel.org/stable/c/a40ad475236022f3432880e3091c380e46e71a71"
},
{
"url": "https://git.kernel.org/stable/c/782c873f8e7686f5b3c47e8b099f7e08c3dd1fdc"
},
{
"url": "https://git.kernel.org/stable/c/7e271f42a5cc3768cd2622b929ba66859ae21f97"
}
],
"title": "usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50544",
"datePublished": "2025-10-07T15:21:08.629Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:08.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50547 (GCVE-0-2022-50547)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: solo6x10: fix possible memory leak in solo_sysfs_init()
If device_register() returns error in solo_sysfs_init(), the
name allocated by dev_set_name() need be freed. As comment of
device_register() says, it should use put_device() to give up
the reference in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanup().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dcae5dacbce518513abf7776cb450b7bd95d722b Version: dcae5dacbce518513abf7776cb450b7bd95d722b Version: dcae5dacbce518513abf7776cb450b7bd95d722b Version: dcae5dacbce518513abf7776cb450b7bd95d722b Version: dcae5dacbce518513abf7776cb450b7bd95d722b Version: dcae5dacbce518513abf7776cb450b7bd95d722b Version: dcae5dacbce518513abf7776cb450b7bd95d722b Version: dcae5dacbce518513abf7776cb450b7bd95d722b Version: dcae5dacbce518513abf7776cb450b7bd95d722b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/solo6x10/solo6x10-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83d4b1ae98a47a739fa5241300b86eb1110d5d63",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
},
{
"lessThan": "b61509093e1af69e336a094d439b8e1137cb40d8",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
},
{
"lessThan": "963729538674be4cb8fa292529ecf32de0d6c6dd",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
},
{
"lessThan": "7b02c50d3978840781808e13bc13137fb81286b5",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
},
{
"lessThan": "49060c0da57a381563e482e331dc9d4c3725b41b",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
},
{
"lessThan": "7cf71bbe5d2ee12613f6e278888f5fc9c5c0cc2b",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
},
{
"lessThan": "d6db105bcfbdbbbd484e788a0ddf8140a4a8c486",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
},
{
"lessThan": "9416861170ba0da8ddb0f4fd2d28334f0ed3b9c2",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
},
{
"lessThan": "7f5866dd96d95b74e439f6ee17b8abd8195179fb",
"status": "affected",
"version": "dcae5dacbce518513abf7776cb450b7bd95d722b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/solo6x10/solo6x10-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: solo6x10: fix possible memory leak in solo_sysfs_init()\n\nIf device_register() returns error in solo_sysfs_init(), the\nname allocated by dev_set_name() need be freed. As comment of\ndevice_register() says, it should use put_device() to give up\nthe reference in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanup()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:10.620Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83d4b1ae98a47a739fa5241300b86eb1110d5d63"
},
{
"url": "https://git.kernel.org/stable/c/b61509093e1af69e336a094d439b8e1137cb40d8"
},
{
"url": "https://git.kernel.org/stable/c/963729538674be4cb8fa292529ecf32de0d6c6dd"
},
{
"url": "https://git.kernel.org/stable/c/7b02c50d3978840781808e13bc13137fb81286b5"
},
{
"url": "https://git.kernel.org/stable/c/49060c0da57a381563e482e331dc9d4c3725b41b"
},
{
"url": "https://git.kernel.org/stable/c/7cf71bbe5d2ee12613f6e278888f5fc9c5c0cc2b"
},
{
"url": "https://git.kernel.org/stable/c/d6db105bcfbdbbbd484e788a0ddf8140a4a8c486"
},
{
"url": "https://git.kernel.org/stable/c/9416861170ba0da8ddb0f4fd2d28334f0ed3b9c2"
},
{
"url": "https://git.kernel.org/stable/c/7f5866dd96d95b74e439f6ee17b8abd8195179fb"
}
],
"title": "media: solo6x10: fix possible memory leak in solo_sysfs_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50547",
"datePublished": "2025-10-07T15:21:10.620Z",
"dateReserved": "2025-10-07T15:15:38.668Z",
"dateUpdated": "2025-10-07T15:21:10.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53666 (GCVE-0-2023-53666)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wcd938x: fix missing mbhc init error handling
MBHC initialisation can fail so add the missing error handling to avoid
dereferencing an error pointer when later configuring the jack:
Unable to handle kernel paging request at virtual address fffffffffffffff8
pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]
lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]
Call trace:
wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]
wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]
snd_soc_component_set_jack+0x28/0x8c [snd_soc_core]
qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common]
sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp]
snd_soc_link_init+0x28/0x90 [snd_soc_core]
snd_soc_bind_card+0x628/0xbfc [snd_soc_core]
snd_soc_register_card+0xec/0x104 [snd_soc_core]
devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core]
sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd938x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a34d252052b5da743ef82591c860fc947384d4e",
"status": "affected",
"version": "bcee7ed09b8e70b65d5c04f5d1acd2cf4213c2f3",
"versionType": "git"
},
{
"lessThan": "bb241ae928c694e365c30c888c9eb02dcc812dfd",
"status": "affected",
"version": "bcee7ed09b8e70b65d5c04f5d1acd2cf4213c2f3",
"versionType": "git"
},
{
"lessThan": "31ee704c84c4bf4df8521ef1478c161f710d0f94",
"status": "affected",
"version": "bcee7ed09b8e70b65d5c04f5d1acd2cf4213c2f3",
"versionType": "git"
},
{
"lessThan": "7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66",
"status": "affected",
"version": "bcee7ed09b8e70b65d5c04f5d1acd2cf4213c2f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd938x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd938x: fix missing mbhc init error handling\n\nMBHC initialisation can fail so add the missing error handling to avoid\ndereferencing an error pointer when later configuring the jack:\n\n Unable to handle kernel paging request at virtual address fffffffffffffff8\n\n pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]\n lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]\n\n Call trace:\n wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]\n wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]\n snd_soc_component_set_jack+0x28/0x8c [snd_soc_core]\n qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common]\n sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp]\n snd_soc_link_init+0x28/0x90 [snd_soc_core]\n snd_soc_bind_card+0x628/0xbfc [snd_soc_core]\n snd_soc_register_card+0xec/0x104 [snd_soc_core]\n devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core]\n sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:24.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a34d252052b5da743ef82591c860fc947384d4e"
},
{
"url": "https://git.kernel.org/stable/c/bb241ae928c694e365c30c888c9eb02dcc812dfd"
},
{
"url": "https://git.kernel.org/stable/c/31ee704c84c4bf4df8521ef1478c161f710d0f94"
},
{
"url": "https://git.kernel.org/stable/c/7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66"
}
],
"title": "ASoC: codecs: wcd938x: fix missing mbhc init error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53666",
"datePublished": "2025-10-07T15:21:24.490Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:24.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53679 (GCVE-0-2023-53679)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt7601u: fix an integer underflow
Fix an integer underflow that leads to a null pointer dereference in
'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet
could be manipulated, which could trigger an integer underflow of
'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently
causes the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be
bypassed, eventually leading to a dereference of the pointer 'p', which
is a null pointer.
Ensure that 'dma_len' is greater than 'min_seg_len'.
Found by a modified version of syzkaller.
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+
#139
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
mt7601u_rx_tasklet+0xc73/0x1270
? mt7601u_submit_rx_buf.isra.0+0x510/0x510
? tasklet_action_common.isra.0+0x79/0x2f0
tasklet_action_common.isra.0+0x206/0x2f0
__do_softirq+0x1b5/0x880
? tasklet_unlock+0x30/0x30
run_ksoftirqd+0x26/0x50
smpboot_thread_fn+0x34f/0x7d0
? smpboot_register_percpu_thread+0x370/0x370
kthread+0x3a1/0x480
? set_kthread_struct+0x120/0x120
ret_from_fork+0x1f/0x30
Modules linked in: 88XXau(O) 88x2bu(O)
---[ end trace 57f34f93b4da0f9b ]---
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt7601u/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67e4519afba215199b6dfa39ce5d7ea673ee4138",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47dc1f425af57b71111d7b01ebd24e04e8d967ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a1f43059afae5cc9409e0c3bc63bfc09bc8facb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "61d0163e2be7a439cf6f82e9ad7de563ecf41e7a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d0db59e2f718d1e2f1d2a2d8092168fdd2f3add0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "803f3176c5df3b5582c27ea690f204abb60b19b9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt7601u/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt7601u: fix an integer underflow\n\nFix an integer underflow that leads to a null pointer dereference in\n\u0027mt7601u_rx_skb_from_seg()\u0027. The variable \u0027dma_len\u0027 in the URB packet\ncould be manipulated, which could trigger an integer underflow of\n\u0027seg_len\u0027 in \u0027mt7601u_rx_process_seg()\u0027. This underflow subsequently\ncauses the \u0027bad_frame\u0027 checks in \u0027mt7601u_rx_skb_from_seg()\u0027 to be\nbypassed, eventually leading to a dereference of the pointer \u0027p\u0027, which\nis a null pointer.\n\nEnsure that \u0027dma_len\u0027 is greater than \u0027min_seg_len\u0027.\n\nFound by a modified version of syzkaller.\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+\n#139\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nRIP: 0010:skb_add_rx_frag+0x143/0x370\nCode: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44\n89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02\n00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00\nRSP: 0018:ffffc900000cfc90 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8\nRBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010\nR10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000\nR13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008\nFS: 0000000000000000(0000) GS:ffff88811a800000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n mt7601u_rx_tasklet+0xc73/0x1270\n ? mt7601u_submit_rx_buf.isra.0+0x510/0x510\n ? tasklet_action_common.isra.0+0x79/0x2f0\n tasklet_action_common.isra.0+0x206/0x2f0\n __do_softirq+0x1b5/0x880\n ? tasklet_unlock+0x30/0x30\n run_ksoftirqd+0x26/0x50\n smpboot_thread_fn+0x34f/0x7d0\n ? smpboot_register_percpu_thread+0x370/0x370\n kthread+0x3a1/0x480\n ? set_kthread_struct+0x120/0x120\n ret_from_fork+0x1f/0x30\nModules linked in: 88XXau(O) 88x2bu(O)\n---[ end trace 57f34f93b4da0f9b ]---\nRIP: 0010:skb_add_rx_frag+0x143/0x370\nCode: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44\n89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02\n00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00\nRSP: 0018:ffffc900000cfc90 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8\nRBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010\nR10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000\nR13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008\nFS: 0000000000000000(0000) GS:ffff88811a800000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:33.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67e4519afba215199b6dfa39ce5d7ea673ee4138"
},
{
"url": "https://git.kernel.org/stable/c/47dc1f425af57b71111d7b01ebd24e04e8d967ef"
},
{
"url": "https://git.kernel.org/stable/c/1a1f43059afae5cc9409e0c3bc63bfc09bc8facb"
},
{
"url": "https://git.kernel.org/stable/c/61d0163e2be7a439cf6f82e9ad7de563ecf41e7a"
},
{
"url": "https://git.kernel.org/stable/c/d0db59e2f718d1e2f1d2a2d8092168fdd2f3add0"
},
{
"url": "https://git.kernel.org/stable/c/803f3176c5df3b5582c27ea690f204abb60b19b9"
}
],
"title": "wifi: mt7601u: fix an integer underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53679",
"datePublished": "2025-10-07T15:21:33.926Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:33.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50521 (GCVE-0-2022-50521)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method()
is not freed after the call, so it leads to memory leak.
The method results in ACPI buffer is not used, so just pass NULL to
wmi_evaluate_method() which fixes the memory leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/mxm-wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50ac517d6f5348b276f1f663799cf85dce521518",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "5b0f81b0808235967868e01336c976e840217108",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "14bb4bde3b7b2584734b13747b345caeeb41bea3",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "17cd8c46cbec4e6ad593fb9159928b8e7608c11a",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "3cf81501356c9e898ad94b2369ffc805f83f7d7b",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "379e7794c5e7485193d25d73614fbbd1e1387f6f",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "87426ce3bd57ad414b6e2436434ef8128986a9a5",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "727cc0147f5066e359aca65cc6cc5e6d64cc15d8",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/mxm-wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()\n\nThe ACPI buffer memory (out.pointer) returned by wmi_evaluate_method()\nis not freed after the call, so it leads to memory leak.\n\nThe method results in ACPI buffer is not used, so just pass NULL to\nwmi_evaluate_method() which fixes the memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:15.213Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50ac517d6f5348b276f1f663799cf85dce521518"
},
{
"url": "https://git.kernel.org/stable/c/5b0f81b0808235967868e01336c976e840217108"
},
{
"url": "https://git.kernel.org/stable/c/14bb4bde3b7b2584734b13747b345caeeb41bea3"
},
{
"url": "https://git.kernel.org/stable/c/17cd8c46cbec4e6ad593fb9159928b8e7608c11a"
},
{
"url": "https://git.kernel.org/stable/c/3cf81501356c9e898ad94b2369ffc805f83f7d7b"
},
{
"url": "https://git.kernel.org/stable/c/379e7794c5e7485193d25d73614fbbd1e1387f6f"
},
{
"url": "https://git.kernel.org/stable/c/87426ce3bd57ad414b6e2436434ef8128986a9a5"
},
{
"url": "https://git.kernel.org/stable/c/727cc0147f5066e359aca65cc6cc5e6d64cc15d8"
}
],
"title": "platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50521",
"datePublished": "2025-10-07T15:19:15.213Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:15.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50516 (GCVE-0-2022-50516)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: dlm: fix invalid derefence of sb_lvbptr
I experience issues when putting a lkbsb on the stack and have sb_lvbptr
field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash
with the following kernel message, the dangled pointer is here
0xdeadbeef as example:
[ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef
[ 102.749320] #PF: supervisor read access in kernel mode
[ 102.749323] #PF: error_code(0x0000) - not-present page
[ 102.749325] PGD 0 P4D 0
[ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI
[ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565
[ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014
[ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10
[ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202
[ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040
[ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070
[ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001
[ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70
[ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001
[ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000
[ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0
[ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 102.749379] PKRU: 55555554
[ 102.749381] Call Trace:
[ 102.749382] <TASK>
[ 102.749383] ? send_args+0xb2/0xd0
[ 102.749389] send_common+0xb7/0xd0
[ 102.749395] _unlock_lock+0x2c/0x90
[ 102.749400] unlock_lock.isra.56+0x62/0xa0
[ 102.749405] dlm_unlock+0x21e/0x330
[ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
[ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture]
[ 102.749419] ? preempt_count_sub+0xba/0x100
[ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture]
[ 102.786186] kthread+0x10a/0x130
[ 102.786581] ? kthread_complete_and_exit+0x20/0x20
[ 102.787156] ret_from_fork+0x22/0x30
[ 102.787588] </TASK>
[ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw
[ 102.792536] CR2: 00000000deadbeef
[ 102.792930] ---[ end trace 0000000000000000 ]---
This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags
is set when copying the lvbptr array instead of if it's just null which
fixes for me the issue.
I think this patch can fix other dlm users as well, depending how they
handle the init, freeing memory handling of sb_lvbptr and don't set
DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a
hidden issue all the time. However with checking on DLM_LKF_VALBLK the
user always need to provide a sb_lvbptr non-null value. There might be
more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and
non-null to report the user the way how DLM API is used is wrong but can
be added for later, this will only fix the current behaviour.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dlm/lock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea7be82fd7e1f5de72208bce93fbbe6de6c13dec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1ab6d3030652b5de0015176a5b0ad9df9b847514",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "57c1cfb5781068e5d3632bc6e5f74a8fcc4f1a30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7175e131ebba47afef47e6ac4d5bab474d1e6e49",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dlm/lock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: dlm: fix invalid derefence of sb_lvbptr\n\nI experience issues when putting a lkbsb on the stack and have sb_lvbptr\nfield to a dangled pointer while not using DLM_LKF_VALBLK. It will crash\nwith the following kernel message, the dangled pointer is here\n0xdeadbeef as example:\n\n[ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef\n[ 102.749320] #PF: supervisor read access in kernel mode\n[ 102.749323] #PF: error_code(0x0000) - not-present page\n[ 102.749325] PGD 0 P4D 0\n[ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565\n[ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014\n[ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10\n[ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 \u003cf3\u003e a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe\n[ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202\n[ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040\n[ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070\n[ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001\n[ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70\n[ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001\n[ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000\n[ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0\n[ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 102.749379] PKRU: 55555554\n[ 102.749381] Call Trace:\n[ 102.749382] \u003cTASK\u003e\n[ 102.749383] ? send_args+0xb2/0xd0\n[ 102.749389] send_common+0xb7/0xd0\n[ 102.749395] _unlock_lock+0x2c/0x90\n[ 102.749400] unlock_lock.isra.56+0x62/0xa0\n[ 102.749405] dlm_unlock+0x21e/0x330\n[ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture]\n[ 102.749419] ? preempt_count_sub+0xba/0x100\n[ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture]\n[ 102.786186] kthread+0x10a/0x130\n[ 102.786581] ? kthread_complete_and_exit+0x20/0x20\n[ 102.787156] ret_from_fork+0x22/0x30\n[ 102.787588] \u003c/TASK\u003e\n[ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw\n[ 102.792536] CR2: 00000000deadbeef\n[ 102.792930] ---[ end trace 0000000000000000 ]---\n\nThis patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags\nis set when copying the lvbptr array instead of if it\u0027s just null which\nfixes for me the issue.\n\nI think this patch can fix other dlm users as well, depending how they\nhandle the init, freeing memory handling of sb_lvbptr and don\u0027t set\nDLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a\nhidden issue all the time. However with checking on DLM_LKF_VALBLK the\nuser always need to provide a sb_lvbptr non-null value. There might be\nmore intelligent handling between per ls lvblen, DLM_LKF_VALBLK and\nnon-null to report the user the way how DLM API is used is wrong but can\nbe added for later, this will only fix the current behaviour."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:11.657Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea7be82fd7e1f5de72208bce93fbbe6de6c13dec"
},
{
"url": "https://git.kernel.org/stable/c/1ab6d3030652b5de0015176a5b0ad9df9b847514"
},
{
"url": "https://git.kernel.org/stable/c/57c1cfb5781068e5d3632bc6e5f74a8fcc4f1a30"
},
{
"url": "https://git.kernel.org/stable/c/7175e131ebba47afef47e6ac4d5bab474d1e6e49"
}
],
"title": "fs: dlm: fix invalid derefence of sb_lvbptr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50516",
"datePublished": "2025-10-07T15:19:11.657Z",
"dateReserved": "2025-10-07T15:15:38.662Z",
"dateUpdated": "2025-10-07T15:19:11.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…