Common Weakness Enumeration

CWE-667

Allowed-with-Review

Improper Locking

Abstraction: Class · Status: Draft

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

693 vulnerabilities reference this CWE, most recent first.

GHSA-Q9QQ-7XQR-6GXF

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (deadlock) because exit may be waiting to park a SQPOLL thread, but concurrently that SQPOLL thread is waiting for a signal to start, aka CID-3ebba796fa25.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-20T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (deadlock) because exit may be waiting to park a SQPOLL thread, but concurrently that SQPOLL thread is waiting for a signal to start, aka CID-3ebba796fa25.",
  "id": "GHSA-q9qq-7xqr-6gxf",
  "modified": "2022-05-24T17:44:58Z",
  "published": "2022-05-24T17:44:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28951"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3ebba796fa251d042be42b929a2d916ee5c34a49"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VCKIOXCOZGXBEZMO5LGGV5MWCHO6FT3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTRNPQTZ4GVS46SZ4OBXY5YDOGVPSTGQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2S3I4SLRNRUQDOFYUS6IUAZMQNMPNLG"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210430-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC5G-94X3-GF9G

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix locking in rxrpc's sendmsg

Fix three bugs in the rxrpc's sendmsg implementation:

(1) rxrpc_new_client_call() should release the socket lock when returning an error from rxrpc_get_call_slot().

(2) rxrpc_wait_for_tx_window_intr() will return without the call mutex held in the event that we're interrupted by a signal whilst waiting for tx space on the socket or relocking the call mutex afterwards.

 Fix this by: (a) moving the unlock/lock of the call mutex up to
 rxrpc_send_data() such that the lock is not held around all of
 rxrpc_wait_for_tx_window*() and (b) indicating to higher callers
 whether we're return with the lock dropped.  Note that this means
 recvmsg() will not block on this call whilst we're waiting.

(3) After dropping and regaining the call mutex, rxrpc_send_data() needs to go and recheck the state of the tx_pending buffer and the tx_total_len check in case we raced with another sendmsg() on the same call.

Thinking on this some more, it might make sense to have different locks for sendmsg() and recvmsg(). There's probably no need to make recvmsg() wait for sendmsg(). It does mean that recvmsg() can return MSG_EOR indicating that a call is dead before a sendmsg() to that call returns - but that can currently happen anyway.

Without fix (2), something like the following can be induced:

WARNING: bad unlock balance detected!
5.16.0-rc6-syzkaller #0 Not tainted
-------------------------------------
syz-executor011/3597 is trying to release lock (&call->user_mutex) at:
[<ffffffff885163a3>] rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748
but there are no more locks to release!

other info that might help us debug this:
no locks held by syz-executor011/3597.
...
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_unlock_imbalance_bug include/trace/events/lock.h:58 [inline]
 __lock_release kernel/locking/lockdep.c:5306 [inline]
 lock_release.cold+0x49/0x4e kernel/locking/lockdep.c:5657
 __mutex_unlock_slowpath+0x99/0x5e0 kernel/locking/mutex.c:900
 rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748
 rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:561
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

[Thanks to Hawkins Jiawei and Khalid Masum for their attempts to fix this]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:27Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix locking in rxrpc\u0027s sendmsg\n\nFix three bugs in the rxrpc\u0027s sendmsg implementation:\n\n (1) rxrpc_new_client_call() should release the socket lock when returning\n     an error from rxrpc_get_call_slot().\n\n (2) rxrpc_wait_for_tx_window_intr() will return without the call mutex\n     held in the event that we\u0027re interrupted by a signal whilst waiting\n     for tx space on the socket or relocking the call mutex afterwards.\n\n     Fix this by: (a) moving the unlock/lock of the call mutex up to\n     rxrpc_send_data() such that the lock is not held around all of\n     rxrpc_wait_for_tx_window*() and (b) indicating to higher callers\n     whether we\u0027re return with the lock dropped.  Note that this means\n     recvmsg() will not block on this call whilst we\u0027re waiting.\n\n (3) After dropping and regaining the call mutex, rxrpc_send_data() needs\n     to go and recheck the state of the tx_pending buffer and the\n     tx_total_len check in case we raced with another sendmsg() on the same\n     call.\n\nThinking on this some more, it might make sense to have different locks for\nsendmsg() and recvmsg().  There\u0027s probably no need to make recvmsg() wait\nfor sendmsg().  It does mean that recvmsg() can return MSG_EOR indicating\nthat a call is dead before a sendmsg() to that call returns - but that can\ncurrently happen anyway.\n\nWithout fix (2), something like the following can be induced:\n\n\tWARNING: bad unlock balance detected!\n\t5.16.0-rc6-syzkaller #0 Not tainted\n\t-------------------------------------\n\tsyz-executor011/3597 is trying to release lock (\u0026call-\u003euser_mutex) at:\n\t[\u003cffffffff885163a3\u003e] rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748\n\tbut there are no more locks to release!\n\n\tother info that might help us debug this:\n\tno locks held by syz-executor011/3597.\n\t...\n\tCall Trace:\n\t \u003cTASK\u003e\n\t __dump_stack lib/dump_stack.c:88 [inline]\n\t dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n\t print_unlock_imbalance_bug include/trace/events/lock.h:58 [inline]\n\t __lock_release kernel/locking/lockdep.c:5306 [inline]\n\t lock_release.cold+0x49/0x4e kernel/locking/lockdep.c:5657\n\t __mutex_unlock_slowpath+0x99/0x5e0 kernel/locking/mutex.c:900\n\t rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748\n\t rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:561\n\t sock_sendmsg_nosec net/socket.c:704 [inline]\n\t sock_sendmsg+0xcf/0x120 net/socket.c:724\n\t ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409\n\t ___sys_sendmsg+0xf3/0x170 net/socket.c:2463\n\t __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492\n\t do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n\t do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n\t entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n[Thanks to Hawkins Jiawei and Khalid Masum for their attempts to fix this]",
  "id": "GHSA-qc5g-94x3-gf9g",
  "modified": "2025-11-14T18:31:24Z",
  "published": "2025-06-18T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49998"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/091dc91e119fdd61432347231724f4e861c6b465"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2bc769b8edb158be7379d15f36e23d66cf850053"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79e2ca7aa96e80961828ab6312264633b66183cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0f571ecd7943423c25947439045f0d352ca3dbf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCGC-5P4X-HXC8

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-03 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix lockdep assertion on sync reset unload event

Fix lockdep assertion triggered during sync reset unload event. When the sync reset flow is initiated using the devlink reload fw_activate option, the PF already holds the devlink lock while handling unload event. In this case, delegate sync reset unload event handling back to the devlink callback process to avoid double-locking and resolve the lockdep warning.

Kernel log: WARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40 [...] Call Trace: mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core] mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core] process_one_work+0x222/0x640 worker_thread+0x199/0x350 kthread+0x10b/0x230 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x8e/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39832"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T14:15:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix lockdep assertion on sync reset unload event\n\nFix lockdep assertion triggered during sync reset unload event. When the\nsync reset flow is initiated using the devlink reload fw_activate\noption, the PF already holds the devlink lock while handling unload\nevent. In this case, delegate sync reset unload event handling back to\nthe devlink callback process to avoid double-locking and resolve the\nlockdep warning.\n\nKernel log:\nWARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40\n[...]\nCall Trace:\n\u003cTASK\u003e\n mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]\n mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]\n process_one_work+0x222/0x640\n worker_thread+0x199/0x350\n kthread+0x10b/0x230\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x8e/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n\u003c/TASK\u003e",
  "id": "GHSA-qcgc-5p4x-hxc8",
  "modified": "2025-12-03T18:30:20Z",
  "published": "2025-09-16T15:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39832"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06d897148e79638651800d851a69547b56b4be2e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c87dba9ccd3801d3b503f0b4fd41be343af4f06"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/902a8bc23a24882200f57cadc270e15a2cfaf2bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddac9d0fe2493dd550cbfc75eeaf31e9b6dac959"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QFC7-WQHW-2Q8R

Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2026-01-23 21:30
VLAI
Details

Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667",
      "CWE-703"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T14:15:52Z",
    "severity": "HIGH"
  },
  "details": "Under undisclosed traffic conditions along with conditions beyond the attacker\u0027s control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-qfc7-wqhw-2q8r",
  "modified": "2026-01-23T21:30:39Z",
  "published": "2025-10-15T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58153"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000151658"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QFHJ-Q535-JF9W

Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume

In case there is any sort of clock controller attached to this I2C bus controller, for example Versaclock or even an AIC32x4 I2C codec, then an I2C transfer triggered from the clock controller clk_ops .prepare callback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex.

This is because the clock controller first grabs the prepare_lock mutex and then performs the prepare operation, including its I2C access. The I2C access resumes this I2C bus controller via .runtime_resume callback, which calls clk_prepare_enable(), which attempts to grab the prepare_lock mutex again and deadlocks.

Since the clock are already prepared since probe() and unprepared in remove(), use simple clk_enable()/clk_disable() calls to enable and disable the clock on runtime suspend and resume, to avoid hitting the prepare_lock mutex.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T18:15:18Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume\n\nIn case there is any sort of clock controller attached to this I2C bus\ncontroller, for example Versaclock or even an AIC32x4 I2C codec, then\nan I2C transfer triggered from the clock controller clk_ops .prepare\ncallback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex.\n\nThis is because the clock controller first grabs the prepare_lock mutex\nand then performs the prepare operation, including its I2C access. The\nI2C access resumes this I2C bus controller via .runtime_resume callback,\nwhich calls clk_prepare_enable(), which attempts to grab the prepare_lock\nmutex again and deadlocks.\n\nSince the clock are already prepared since probe() and unprepared in\nremove(), use simple clk_enable()/clk_disable() calls to enable and\ndisable the clock on runtime suspend and resume, to avoid hitting the\nprepare_lock mutex.",
  "id": "GHSA-qfhj-q535-jf9w",
  "modified": "2025-11-04T00:31:44Z",
  "published": "2024-10-21T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49985"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/048bbbdbf85e5e00258dfb12f5e368f908801d7b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1883cad2cc629ded4a3556c0bbb8b42533ad8764"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22a1f8a5b56ba93d3e8b7a1dafa24e01c8bb48ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/894cd5f5fd9061983445bbd1fa3d81be43095344"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b8bc33ad64192f54142396470cc34ce539a8940"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2024b1a583ab9176c797ea1e5f57baf8d5e2682"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6f1250a4d5773f447740b9fe37b8692105796d4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fac3c9f7784e8184c0338e9f0877b81e55d3ef1c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QFQW-8W5M-FMV4

Vulnerability from github – Published: 2025-01-31 12:33 – Updated: 2025-02-04 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel

Attempt to enable IPsec packet offload in tunnel mode in debug kernel generates the following kernel panic, which is happening due to two issues: 1. In SA add section, the should be _bh() variant when marking SA mode. 2. There is not needed flush_workqueue in SA delete routine. It is not needed as at this stage as it is removed from SADB and the running work will be canceled later in SA free.

===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 6.12.0+ #4 Not tainted


charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire: ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core]

and this task is already holding: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 which would create a new lock dependency: (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3}

but this new dependency connects a SOFTIRQ-irq-safe lock: (&x->lock){+.-.}-{3:3}

... which became SOFTIRQ-irq-safe at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138

to a SOFTIRQ-irq-unsafe lock: (&xa->xa_lock#24){+.+.}-{3:3}

... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53

other info that might help us debug this:

Possible interrupt unsafe locking scenario:

    CPU0                    CPU1
    ----                    ----

lock(&xa->xa_lock#24); local_irq_disable(); lock(&x->lock); lock(&xa->xa_lock#24); lock(&x->lock);

*** DEADLOCK ***

2 locks held by charon/1337: #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90 #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30

the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&x->lock){+.-.}-{3:3} ops: 29 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 IN-SOFTIRQ-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60

---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T12:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel\n\nAttempt to enable IPsec packet offload in tunnel mode in debug kernel\ngenerates the following kernel panic, which is happening due to two\nissues:\n1. In SA add section, the should be _bh() variant when marking SA mode.\n2. There is not needed flush_workqueue in SA delete routine. It is not\nneeded as at this stage as it is removed from SADB and the running work\nwill be canceled later in SA free.\n\n =====================================================\n WARNING: SOFTIRQ-safe -\u003e SOFTIRQ-unsafe lock order detected\n 6.12.0+ #4 Not tainted\n -----------------------------------------------------\n charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire:\n ffff88810f365020 (\u0026xa-\u003exa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core]\n\n and this task is already holding:\n ffff88813e0f0d48 (\u0026x-\u003elock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n which would create a new lock dependency:\n  (\u0026x-\u003elock){+.-.}-{3:3} -\u003e (\u0026xa-\u003exa_lock#24){+.+.}-{3:3}\n\n but this new dependency connects a SOFTIRQ-irq-safe lock:\n  (\u0026x-\u003elock){+.-.}-{3:3}\n\n ... which became SOFTIRQ-irq-safe at:\n   lock_acquire+0x1be/0x520\n   _raw_spin_lock_bh+0x34/0x40\n   xfrm_timer_handler+0x91/0xd70\n   __hrtimer_run_queues+0x1dd/0xa60\n   hrtimer_run_softirq+0x146/0x2e0\n   handle_softirqs+0x266/0x860\n   irq_exit_rcu+0x115/0x1a0\n   sysvec_apic_timer_interrupt+0x6e/0x90\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n   default_idle+0x13/0x20\n   default_idle_call+0x67/0xa0\n   do_idle+0x2da/0x320\n   cpu_startup_entry+0x50/0x60\n   start_secondary+0x213/0x2a0\n   common_startup_64+0x129/0x138\n\n to a SOFTIRQ-irq-unsafe lock:\n  (\u0026xa-\u003exa_lock#24){+.+.}-{3:3}\n\n ... which became SOFTIRQ-irq-unsafe at:\n ...\n   lock_acquire+0x1be/0x520\n   _raw_spin_lock+0x2c/0x40\n   xa_set_mark+0x70/0x110\n   mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core]\n   xfrm_dev_state_add+0x3bb/0xd70\n   xfrm_add_sa+0x2451/0x4a90\n   xfrm_user_rcv_msg+0x493/0x880\n   netlink_rcv_skb+0x12e/0x380\n   xfrm_netlink_rcv+0x6d/0x90\n   netlink_unicast+0x42f/0x740\n   netlink_sendmsg+0x745/0xbe0\n   __sock_sendmsg+0xc5/0x190\n   __sys_sendto+0x1fe/0x2c0\n   __x64_sys_sendto+0xdc/0x1b0\n   do_syscall_64+0x6d/0x140\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n other info that might help us debug this:\n\n  Possible interrupt unsafe locking scenario:\n\n        CPU0                    CPU1\n        ----                    ----\n   lock(\u0026xa-\u003exa_lock#24);\n                                local_irq_disable();\n                                lock(\u0026x-\u003elock);\n                                lock(\u0026xa-\u003exa_lock#24);\n   \u003cInterrupt\u003e\n     lock(\u0026x-\u003elock);\n\n  *** DEADLOCK ***\n\n 2 locks held by charon/1337:\n  #0: ffffffff87f8f858 (\u0026net-\u003exfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90\n  #1: ffff88813e0f0d48 (\u0026x-\u003elock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n\n the dependencies between SOFTIRQ-irq-safe lock and the holding lock:\n -\u003e (\u0026x-\u003elock){+.-.}-{3:3} ops: 29 {\n    HARDIRQ-ON-W at:\n                     lock_acquire+0x1be/0x520\n                     _raw_spin_lock_bh+0x34/0x40\n                     xfrm_alloc_spi+0xc0/0xe60\n                     xfrm_alloc_userspi+0x5f6/0xbc0\n                     xfrm_user_rcv_msg+0x493/0x880\n                     netlink_rcv_skb+0x12e/0x380\n                     xfrm_netlink_rcv+0x6d/0x90\n                     netlink_unicast+0x42f/0x740\n                     netlink_sendmsg+0x745/0xbe0\n                     __sock_sendmsg+0xc5/0x190\n                     __sys_sendto+0x1fe/0x2c0\n                     __x64_sys_sendto+0xdc/0x1b0\n                     do_syscall_64+0x6d/0x140\n                     entry_SYSCALL_64_after_hwframe+0x4b/0x53\n    IN-SOFTIRQ-W at:\n                     lock_acquire+0x1be/0x520\n                     _raw_spin_lock_bh+0x34/0x40\n                     xfrm_timer_handler+0x91/0xd70\n                     __hrtimer_run_queues+0x1dd/0xa60\n   \n---truncated---",
  "id": "GHSA-qfqw-8w5m-fmv4",
  "modified": "2025-02-04T18:30:47Z",
  "published": "2025-01-31T12:33:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21674"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2c3688090f8a1f085230aa839cc63e4a7b977df0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d3d69c070d920fbb146d73dd3899a50f25d0901"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87c4417a902151cfe4363166245a3671a08c256c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QGMQ-76M4-C2JV

Vulnerability from github – Published: 2025-03-06 18:31 – Updated: 2025-03-25 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: uvcvideo: Fix deadlock during uvc_probe

If uvc_probe() fails, it can end up calling uvc_status_unregister() before uvc_status_init() is called.

Fix this by checking if dev->status is NULL or not in uvc_status_unregister().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-06T16:15:52Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix deadlock during uvc_probe\n\nIf uvc_probe() fails, it can end up calling uvc_status_unregister() before\nuvc_status_init() is called.\n\nFix this by checking if dev-\u003estatus is NULL or not in\nuvc_status_unregister().",
  "id": "GHSA-qgmq-76m4-c2jv",
  "modified": "2025-03-25T15:31:22Z",
  "published": "2025-03-06T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58059"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a67f75c2b5ecf534eab416ce16c11fe780c4f8f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db577ededf3a18b39567fc1a6209f12a0c4a3c52"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHPW-2QGQ-68PX

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix locking usage for tcon fields

We used to use the cifs_tcp_ses_lock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srv_lock, ses_lock and tc_lock to protect fields within the corresponding structs. This was done to provide a more granular protection and avoid unnecessary serialization.

There were still a couple of uses of cifs_tcp_ses_lock to provide tcon fields. In this patch, I've replaced them with tc_lock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:41Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix locking usage for tcon fields\n\nWe used to use the cifs_tcp_ses_lock to protect a lot of objects\nthat are not just the server, ses or tcon lists. We later introduced\nsrv_lock, ses_lock and tc_lock to protect fields within the\ncorresponding structs. This was done to provide a more granular\nprotection and avoid unnecessary serialization.\n\nThere were still a couple of uses of cifs_tcp_ses_lock to provide\ntcon fields. In this patch, I\u0027ve replaced them with tc_lock.",
  "id": "GHSA-qhpw-2qgq-68px",
  "modified": "2026-05-08T15:31:18Z",
  "published": "2026-05-06T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43215"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3969db6b22e3d90d8c5f22ac1a7fe0350a94c136"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/601dd3b79769b38d30b693c40afdb2a4b7edf9d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c59eeeeffa1524ef57e173a89a1a3ff539888d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/953953abb66e52c224057ab91e404284fefeab62"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/96c4af418586ee9a6aab61738644366426e05316"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJVC-XMQV-CWR9

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change

rfcomm_sk_state_change attempts to use sock_lock so it must never be called with it locked but rfcomm_sock_ioctl always attempt to lock it causing the following trace:

====================================================== WARNING: possible circular locking dependency detected 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted


syz-executor386/5093 is trying to acquire lock: ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline] ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73

but task is already holding lock: ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:17Z",
    "severity": "LOW"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change\n\nrfcomm_sk_state_change attempts to use sock_lock so it must never be\ncalled with it locked but rfcomm_sock_ioctl always attempt to lock it\ncausing the following trace:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted\n------------------------------------------------------\nsyz-executor386/5093 is trying to acquire lock:\nffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline]\nffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73\n\nbut task is already holding lock:\nffff88807badfd28 (\u0026d-\u003elock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491",
  "id": "GHSA-qjvc-xmqv-cwr9",
  "modified": "2026-05-12T15:30:39Z",
  "published": "2024-10-21T21:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50044"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/08d1914293dae38350b8088980e59fbc699a72fe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38b2d5a57d125e1c17661b8308c0240c4a43b534"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/496b2ab0fd10f205e08909a125485fdc98843dbe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4cb9807c9b53bf1e5560420d26f319f528b50268"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/869c6ee62ab8f01bf2419e45326642be5c9b670a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b77b3fb12fd483cae7c28648903b1d8a6b275f01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ced98072d3511b232ae1d3347945f35f30c0e303"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef44274dae9b0a90d1a97ce8b242a3b8243a7745"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ67-P454-7JFC

Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2025-03-07 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix another deadlock during RTC update

If ufshcd_rtc_work calls ufshcd_rpm_put_sync() and the pm's usage_count is 0, we will enter the runtime suspend callback. However, the runtime suspend callback will wait to flush ufshcd_rtc_work, causing a deadlock.

Replace ufshcd_rpm_put_sync() with ufshcd_rpm_put() to avoid the deadlock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T18:15:25Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix another deadlock during RTC update\n\nIf ufshcd_rtc_work calls ufshcd_rpm_put_sync() and the pm\u0027s usage_count\nis 0, we will enter the runtime suspend callback.  However, the runtime\nsuspend callback will wait to flush ufshcd_rtc_work, causing a deadlock.\n\nReplace ufshcd_rpm_put_sync() with ufshcd_rpm_put() to avoid the\ndeadlock.",
  "id": "GHSA-qq67-p454-7jfc",
  "modified": "2025-03-07T18:31:01Z",
  "published": "2024-11-19T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53053"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9aa1f0da237d6b16e36e0a0cc9f746d1d78396ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a128cfec44709ab1bd1f01d158569bcb2386f54f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb7e509c4e0197f63717fee54fb41c4990ba8d3a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Strategy: Libraries or Frameworks

Use industry standard APIs to implement locking mechanism.

CAPEC-25: Forced Deadlock

The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-27: Leveraging Race Conditions via Symbolic Links

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.