Search criteria
10494 vulnerabilities
CVE-2026-23039 (GCVE-0-2026-23039)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
drm/gud: fix NULL fb and crtc dereferences on USB disconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/gud: fix NULL fb and crtc dereferences on USB disconnect
On disconnect drm_atomic_helper_disable_all() is called which
sets both the fb and crtc for a plane to NULL before invoking a commit.
This causes a kernel oops on every display disconnect.
Add guards for those dereferences.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/gud/gud_pipe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a255ec07f91d4c73a361a28b7a3d82f5710245f1",
"status": "affected",
"version": "73cfd166e045769a1b42d36897accaa6e06b8102",
"versionType": "git"
},
{
"lessThan": "dc2d5ddb193e363187bae2ad358245642d2721fb",
"status": "affected",
"version": "73cfd166e045769a1b42d36897accaa6e06b8102",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/gud/gud_pipe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gud: fix NULL fb and crtc dereferences on USB disconnect\n\nOn disconnect drm_atomic_helper_disable_all() is called which\nsets both the fb and crtc for a plane to NULL before invoking a commit.\n\nThis causes a kernel oops on every display disconnect.\n\nAdd guards for those dereferences."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:33.377Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a255ec07f91d4c73a361a28b7a3d82f5710245f1"
},
{
"url": "https://git.kernel.org/stable/c/dc2d5ddb193e363187bae2ad358245642d2721fb"
}
],
"title": "drm/gud: fix NULL fb and crtc dereferences on USB disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23039",
"datePublished": "2026-01-31T11:42:33.377Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-01-31T11:42:33.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23038 (GCVE-0-2026-23038)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
the function jumps to the out_scratch label without freeing the already
allocated dsaddrs list, leading to a memory leak.
Fix this by jumping to the out_err_drain_dsaddrs label, which properly
frees the dsaddrs list before cleaning up other resources.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d67ae825a59d639e4d8b82413af84d854617a87e , < 869862056e100973e76ce9f5f1b01837771b7722
(git)
Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < 86da7efd12295a7e2b4abde5e5984c821edd938f (git) Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb (git) Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < 0c728083654f0066f5e10a1d2b0bd0907af19a58 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/flexfilelayout/flexfilelayoutdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "869862056e100973e76ce9f5f1b01837771b7722",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "86da7efd12295a7e2b4abde5e5984c821edd938f",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "0c728083654f0066f5e10a1d2b0bd0907af19a58",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/flexfilelayout/flexfilelayoutdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()\n\nIn nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,\nthe function jumps to the out_scratch label without freeing the already\nallocated dsaddrs list, leading to a memory leak.\n\nFix this by jumping to the out_err_drain_dsaddrs label, which properly\nfrees the dsaddrs list before cleaning up other resources."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:32.599Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/869862056e100973e76ce9f5f1b01837771b7722"
},
{
"url": "https://git.kernel.org/stable/c/86da7efd12295a7e2b4abde5e5984c821edd938f"
},
{
"url": "https://git.kernel.org/stable/c/ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb"
},
{
"url": "https://git.kernel.org/stable/c/0c728083654f0066f5e10a1d2b0bd0907af19a58"
}
],
"title": "pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23038",
"datePublished": "2026-01-31T11:42:32.599Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-01-31T11:42:32.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23037 (GCVE-0-2026-23037)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
can: etas_es58x: allow partial RX URB allocation to succeed
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: etas_es58x: allow partial RX URB allocation to succeed
When es58x_alloc_rx_urbs() fails to allocate the requested number of
URBs but succeeds in allocating some, it returns an error code.
This causes es58x_open() to return early, skipping the cleanup label
'free_urbs', which leads to the anchored URBs being leaked.
As pointed out by maintainer Vincent Mailhol, the driver is designed
to handle partial URB allocation gracefully. Therefore, partial
allocation should not be treated as a fatal error.
Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
allocated, restoring the intended behavior and preventing the leak
in es58x_open().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8537257874e949a59c834cecfd5a063e11b64b0b , < 611e839d2d552416b498ed5593e10670f61fcd4d
(git)
Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < ba45e3d6b02c97dbb4578fbae7027fd66f3caa10 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < 6c5124a60989051799037834f0a1a4b428718157 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < b1979778e98569c1e78c2c7f16bb24d76541ab00 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "611e839d2d552416b498ed5593e10670f61fcd4d",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "ba45e3d6b02c97dbb4578fbae7027fd66f3caa10",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "6c5124a60989051799037834f0a1a4b428718157",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "b1979778e98569c1e78c2c7f16bb24d76541ab00",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: allow partial RX URB allocation to succeed\n\nWhen es58x_alloc_rx_urbs() fails to allocate the requested number of\nURBs but succeeds in allocating some, it returns an error code.\nThis causes es58x_open() to return early, skipping the cleanup label\n\u0027free_urbs\u0027, which leads to the anchored URBs being leaked.\n\nAs pointed out by maintainer Vincent Mailhol, the driver is designed\nto handle partial URB allocation gracefully. Therefore, partial\nallocation should not be treated as a fatal error.\n\nModify es58x_alloc_rx_urbs() to return 0 if at least one URB has been\nallocated, restoring the intended behavior and preventing the leak\nin es58x_open()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:31.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/611e839d2d552416b498ed5593e10670f61fcd4d"
},
{
"url": "https://git.kernel.org/stable/c/ba45e3d6b02c97dbb4578fbae7027fd66f3caa10"
},
{
"url": "https://git.kernel.org/stable/c/6c5124a60989051799037834f0a1a4b428718157"
},
{
"url": "https://git.kernel.org/stable/c/b1979778e98569c1e78c2c7f16bb24d76541ab00"
}
],
"title": "can: etas_es58x: allow partial RX URB allocation to succeed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23037",
"datePublished": "2026-01-31T11:42:31.689Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-01-31T11:42:31.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23036 (GCVE-0-2026-23036)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
btrfs: release path before iget_failed() in btrfs_read_locked_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: release path before iget_failed() in btrfs_read_locked_inode()
In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to
the 'out' label with a path that has a read locked leaf and then we call
iget_failed(). This can result in a ABBA deadlock, since iget_failed()
triggers inode eviction and that causes the release of the delayed inode,
which must lock the delayed inode's mutex, and a task updating a delayed
inode starts by taking the node's mutex and then modifying the inode's
subvolume btree.
Syzbot reported the following lockdep splat for this:
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
btrfs-cleaner/8725 is trying to acquire lock:
ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
but task is already holding lock:
ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (btrfs-tree-00){++++}-{4:4}:
__lock_release kernel/locking/lockdep.c:5574 [inline]
lock_release+0x198/0x39c kernel/locking/lockdep.c:5889
up_read+0x24/0x3c kernel/locking/rwsem.c:1632
btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169
btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]
btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133
btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395
__btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032
btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]
__btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141
__btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176
btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219
flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828
do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158
btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226
process_one_work+0x7e8/0x155c kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x958/0xed8 kernel/workqueue.c:3427
kthread+0x5fc/0x75c kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
-> #0 (&delayed_node->mutex){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
__mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598
__mutex_lock kernel/locking/mutex.c:760 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
__btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]
btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326
btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587
evict+0x414/0x928 fs/inode.c:810
iput_final fs/inode.c:1914 [inline]
iput+0x95c/0xad4 fs/inode.c:1966
iget_failed+0xec/0x134 fs/bad_inode.c:248
btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101
btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837
btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]
btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65241e3ddda60b53a4ee3ae12721fc9ee21d5827",
"status": "affected",
"version": "69673992b1aea5540199d9b8b658ede72f55a6cf",
"versionType": "git"
},
{
"lessThan": "1e1f2055ad5a7a5d548789b334a4473a7665c418",
"status": "affected",
"version": "69673992b1aea5540199d9b8b658ede72f55a6cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before iget_failed() in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() if we fail to lookup the inode, we jump to\nthe \u0027out\u0027 label with a path that has a read locked leaf and then we call\niget_failed(). This can result in a ABBA deadlock, since iget_failed()\ntriggers inode eviction and that causes the release of the delayed inode,\nwhich must lock the delayed inode\u0027s mutex, and a task updating a delayed\ninode starts by taking the node\u0027s mutex and then modifying the inode\u0027s\nsubvolume btree.\n\nSyzbot reported the following lockdep splat for this:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n syzkaller #0 Not tainted\n ------------------------------------------------------\n btrfs-cleaner/8725 is trying to acquire lock:\n ffff0000d6826a48 (\u0026delayed_node-\u003emutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n\n but task is already holding lock:\n ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #1 (btrfs-tree-00){++++}-{4:4}:\n __lock_release kernel/locking/lockdep.c:5574 [inline]\n lock_release+0x198/0x39c kernel/locking/lockdep.c:5889\n up_read+0x24/0x3c kernel/locking/rwsem.c:1632\n btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169\n btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]\n btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133\n btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395\n __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032\n btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]\n __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141\n __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176\n btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219\n flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828\n do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158\n btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3263\n process_scheduled_works kernel/workqueue.c:3346 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3427\n kthread+0x5fc/0x75c kernel/kthread.c:463\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844\n\n -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{4:4}:\n check_prev_add kernel/locking/lockdep.c:3165 [inline]\n check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n validate_chain kernel/locking/lockdep.c:3908 [inline]\n __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237\n lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868\n __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598\n __mutex_lock kernel/locking/mutex.c:760 [inline]\n mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812\n __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]\n btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326\n btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587\n evict+0x414/0x928 fs/inode.c:810\n iput_final fs/inode.c:1914 [inline]\n iput+0x95c/0xad4 fs/inode.c:1966\n iget_failed+0xec/0x134 fs/bad_inode.c:248\n btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101\n btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837\n btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]\n btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:30.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827"
},
{
"url": "https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418"
}
],
"title": "btrfs: release path before iget_failed() in btrfs_read_locked_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23036",
"datePublished": "2026-01-31T11:42:30.782Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-01-31T11:42:30.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23034 (GCVE-0-2026-23034)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
The user mode queue keeps a pointer to the most recent fence in
userq->last_fence. This pointer holds an extra dma_fence reference.
When the queue is destroyed, we free the fence driver and its xarray,
but we forgot to drop the last_fence reference.
Because of the missing dma_fence_put(), the last fence object can stay
alive when the driver unloads. This leaves an allocated object in the
amdgpu_userq_fence slab cache and triggers
This is visible during driver unload as:
BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()
kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects
Call Trace:
kmem_cache_destroy
amdgpu_userq_fence_slab_fini
amdgpu_exit
__do_sys_delete_module
Fix this by putting userq->last_fence and clearing the pointer during
amdgpu_userq_fence_driver_free().
This makes sure the fence reference is released and the slab cache is
empty when the module exits.
v2: Update to only release userq->last_fence with dma_fence_put()
(Christian)
(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175",
"status": "affected",
"version": "edc762a51c7181d6fe1e0837e2eb69afb406f98e",
"versionType": "git"
},
{
"lessThan": "b2426a211dba6432e32a2e70e9183c6e134475c6",
"status": "affected",
"version": "edc762a51c7181d6fe1e0837e2eb69afb406f98e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Fix fence reference leak on queue teardown v2\n\nThe user mode queue keeps a pointer to the most recent fence in\nuserq-\u003elast_fence. This pointer holds an extra dma_fence reference.\n\nWhen the queue is destroyed, we free the fence driver and its xarray,\nbut we forgot to drop the last_fence reference.\n\nBecause of the missing dma_fence_put(), the last fence object can stay\nalive when the driver unloads. This leaves an allocated object in the\namdgpu_userq_fence slab cache and triggers\n\nThis is visible during driver unload as:\n\n BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()\n kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects\n Call Trace:\n kmem_cache_destroy\n amdgpu_userq_fence_slab_fini\n amdgpu_exit\n __do_sys_delete_module\n\nFix this by putting userq-\u003elast_fence and clearing the pointer during\namdgpu_userq_fence_driver_free().\n\nThis makes sure the fence reference is released and the slab cache is\nempty when the module exits.\n\nv2: Update to only release userq-\u003elast_fence with dma_fence_put()\n (Christian)\n\n(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:29.137Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175"
},
{
"url": "https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6"
}
],
"title": "drm/amdgpu/userq: Fix fence reference leak on queue teardown v2",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23034",
"datePublished": "2026-01-31T11:42:29.137Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-01-31T11:42:29.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23035 (GCVE-0-2026-23035)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
mlx5e_priv is an unstable structure that can be memset(0) if profile
attaching fails.
Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a
valid netdev.
On mlx5e_remove: Check validity of priv->profile, before attempting
to cleanup any resources that might be not there.
This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
to change profile failure.
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
Error: mlx5_core: Failed setting eswitch to offloads.
dmesg:
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
$ devlink dev reload pci/0000:00:03.0 ==> oops
BUG: kernel NULL pointer dereference, address: 0000000000000370
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100
RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286
RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0
RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10
R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0
R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400
FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0
Call Trace:
<TASK>
mlx5e_remove+0x57/0x110
device_release_driver_internal+0x19c/0x200
bus_remove_device+0xc6/0x130
device_del+0x160/0x3d0
? devl_param_driverinit_value_get+0x2d/0x90
mlx5_detach_device+0x89/0xe0
mlx5_unload_one_devl_locked+0x3a/0x70
mlx5_devlink_reload_down+0xc8/0x220
devlink_reload+0x7d/0x260
devlink_nl_reload_doit+0x45b/0x5a0
genl_family_rcv_msg_doit+0xe8/0x140
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c4d7eb57687f358cd498ea3624519236af8db97e , < a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02
(git)
Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < 66a25f6b7c0bfd84e6d27b536f5d24116dbd52da (git) Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < 4ef8512e1427111f7ba92b4a847d181ff0aeec42 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "66a25f6b7c0bfd84e6d27b536f5d24116dbd52da",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "4ef8512e1427111f7ba92b4a847d181ff0aeec42",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv\n\nmlx5e_priv is an unstable structure that can be memset(0) if profile\nattaching fails.\n\nPass netdev to mlx5e_destroy_netdev() to guarantee it will work on a\nvalid netdev.\n\nOn mlx5e_remove: Check validity of priv-\u003eprofile, before attempting\nto cleanup any resources that might be not there.\n\nThis fixes a kernel oops in mlx5e_remove when switchdev mode fails due\nto change profile failure.\n\n$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev\nError: mlx5_core: Failed setting eswitch to offloads.\ndmesg:\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n\n$ devlink dev reload pci/0000:00:03.0 ==\u003e oops\n\nBUG: kernel NULL pointer dereference, address: 0000000000000370\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100\nRSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286\nRAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0\nRBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10\nR10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0\nR13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400\nFS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0\nCall Trace:\n \u003cTASK\u003e\n mlx5e_remove+0x57/0x110\n device_release_driver_internal+0x19c/0x200\n bus_remove_device+0xc6/0x130\n device_del+0x160/0x3d0\n ? devl_param_driverinit_value_get+0x2d/0x90\n mlx5_detach_device+0x89/0xe0\n mlx5_unload_one_devl_locked+0x3a/0x70\n mlx5_devlink_reload_down+0xc8/0x220\n devlink_reload+0x7d/0x260\n devlink_nl_reload_doit+0x45b/0x5a0\n genl_family_rcv_msg_doit+0xe8/0x140"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:29.960Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02"
},
{
"url": "https://git.kernel.org/stable/c/66a25f6b7c0bfd84e6d27b536f5d24116dbd52da"
},
{
"url": "https://git.kernel.org/stable/c/4ef8512e1427111f7ba92b4a847d181ff0aeec42"
}
],
"title": "net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23035",
"datePublished": "2026-01-31T11:42:29.960Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-01-31T11:42:29.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23033 (GCVE-0-2026-23033)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
dmaengine: omap-dma: fix dma_pool resource leak in error paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: omap-dma: fix dma_pool resource leak in error paths
The dma_pool created by dma_pool_create() is not destroyed when
dma_async_device_register() or of_dma_controller_register() fails,
causing a resource leak in the probe error paths.
Add dma_pool_destroy() in both error paths to properly release the
allocated dma_pool resource.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 88a9483f093bbb9263dcf21bc7fdb5132e5de88d
(git)
Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 4b93712e96be17029bd22787f2e39feb0e73272c (git) Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 829b00481734dd54e72f755fd6584bce6fbffbb0 (git) Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 2e1136acf8a8887c29f52e35a77b537309af321f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/omap-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88a9483f093bbb9263dcf21bc7fdb5132e5de88d",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "4b93712e96be17029bd22787f2e39feb0e73272c",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "829b00481734dd54e72f755fd6584bce6fbffbb0",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "2e1136acf8a8887c29f52e35a77b537309af321f",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/omap-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: omap-dma: fix dma_pool resource leak in error paths\n\nThe dma_pool created by dma_pool_create() is not destroyed when\ndma_async_device_register() or of_dma_controller_register() fails,\ncausing a resource leak in the probe error paths.\n\nAdd dma_pool_destroy() in both error paths to properly release the\nallocated dma_pool resource."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:28.352Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88a9483f093bbb9263dcf21bc7fdb5132e5de88d"
},
{
"url": "https://git.kernel.org/stable/c/4b93712e96be17029bd22787f2e39feb0e73272c"
},
{
"url": "https://git.kernel.org/stable/c/829b00481734dd54e72f755fd6584bce6fbffbb0"
},
{
"url": "https://git.kernel.org/stable/c/2e1136acf8a8887c29f52e35a77b537309af321f"
}
],
"title": "dmaengine: omap-dma: fix dma_pool resource leak in error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23033",
"datePublished": "2026-01-31T11:42:28.352Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-01-31T11:42:28.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23032 (GCVE-0-2026-23032)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
null_blk: fix kmemleak by releasing references to fault configfs items
Summary
In the Linux kernel, the following vulnerability has been resolved:
null_blk: fix kmemleak by releasing references to fault configfs items
When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk
driver sets up fault injection support by creating the timeout_inject,
requeue_inject, and init_hctx_fault_inject configfs items as children
of the top-level nullbX configfs group.
However, when the nullbX device is removed, the references taken to
these fault-config configfs items are not released. As a result,
kmemleak reports a memory leak, for example:
unreferenced object 0xc00000021ff25c40 (size 32):
comm "mkdir", pid 10665, jiffies 4322121578
hex dump (first 32 bytes):
69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_
69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject..........
backtrace (crc 1a018c86):
__kmalloc_node_track_caller_noprof+0x494/0xbd8
kvasprintf+0x74/0xf4
config_item_set_name+0xf0/0x104
config_group_init_type_name+0x48/0xfc
fault_config_init+0x48/0xf0
0xc0080000180559e4
configfs_mkdir+0x304/0x814
vfs_mkdir+0x49c/0x604
do_mkdirat+0x314/0x3d0
sys_mkdir+0xa0/0xd8
system_call_exception+0x1b0/0x4f0
system_call_vectored_common+0x15c/0x2ec
Fix this by explicitly releasing the references to the fault-config
configfs items when dropping the reference to the top-level nullbX
configfs group.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea , < 1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2
(git)
Affected: bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea , < d59ba448ccd595d5d65e197216cf781a87db2b28 (git) Affected: bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea , < f1718da051282698aa8fa150bebb9724f6389fda (git) Affected: bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea , < 40b94ec7edbbb867c4e26a1a43d2b898f04b93c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2",
"status": "affected",
"version": "bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea",
"versionType": "git"
},
{
"lessThan": "d59ba448ccd595d5d65e197216cf781a87db2b28",
"status": "affected",
"version": "bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea",
"versionType": "git"
},
{
"lessThan": "f1718da051282698aa8fa150bebb9724f6389fda",
"status": "affected",
"version": "bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea",
"versionType": "git"
},
{
"lessThan": "40b94ec7edbbb867c4e26a1a43d2b898f04b93c5",
"status": "affected",
"version": "bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix kmemleak by releasing references to fault configfs items\n\nWhen CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk\ndriver sets up fault injection support by creating the timeout_inject,\nrequeue_inject, and init_hctx_fault_inject configfs items as children\nof the top-level nullbX configfs group.\n\nHowever, when the nullbX device is removed, the references taken to\nthese fault-config configfs items are not released. As a result,\nkmemleak reports a memory leak, for example:\n\nunreferenced object 0xc00000021ff25c40 (size 32):\n comm \"mkdir\", pid 10665, jiffies 4322121578\n hex dump (first 32 bytes):\n 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_\n 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject..........\n backtrace (crc 1a018c86):\n __kmalloc_node_track_caller_noprof+0x494/0xbd8\n kvasprintf+0x74/0xf4\n config_item_set_name+0xf0/0x104\n config_group_init_type_name+0x48/0xfc\n fault_config_init+0x48/0xf0\n 0xc0080000180559e4\n configfs_mkdir+0x304/0x814\n vfs_mkdir+0x49c/0x604\n do_mkdirat+0x314/0x3d0\n sys_mkdir+0xa0/0xd8\n system_call_exception+0x1b0/0x4f0\n system_call_vectored_common+0x15c/0x2ec\n\nFix this by explicitly releasing the references to the fault-config\nconfigfs items when dropping the reference to the top-level nullbX\nconfigfs group."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:11.640Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2"
},
{
"url": "https://git.kernel.org/stable/c/d59ba448ccd595d5d65e197216cf781a87db2b28"
},
{
"url": "https://git.kernel.org/stable/c/f1718da051282698aa8fa150bebb9724f6389fda"
},
{
"url": "https://git.kernel.org/stable/c/40b94ec7edbbb867c4e26a1a43d2b898f04b93c5"
}
],
"title": "null_blk: fix kmemleak by releasing references to fault configfs items",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23032",
"datePublished": "2026-01-31T11:42:11.640Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-01-31T11:42:11.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23031 (GCVE-0-2026-23031)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
In gs_can_open(), the URBs for USB-in transfers are allocated, added to the
parent->rx_submitted anchor and submitted. In the complete callback
gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In
gs_can_close() the URBs are freed by calling
usb_kill_anchored_urbs(parent->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in gs_can_close().
Fix the memory leak by anchoring the URB in the
gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d08e973a77d128b25e01a08c34d89593fdf222da , < f905bcfa971edb89e398c98957838d8c6381c0c7
(git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 08624b7206ddb9148eeffc2384ebda2c47b6d1e9 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 9f669a38ca70839229b7ba0f851820850a2fe1f7 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 7352e1d5932a0e777e39fa4b619801191f57e603 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f905bcfa971edb89e398c98957838d8c6381c0c7",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "08624b7206ddb9148eeffc2384ebda2c47b6d1e9",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "9f669a38ca70839229b7ba0f851820850a2fe1f7",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "7352e1d5932a0e777e39fa4b619801191f57e603",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak\n\nIn gs_can_open(), the URBs for USB-in transfers are allocated, added to the\nparent-\u003erx_submitted anchor and submitted. In the complete callback\ngs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In\ngs_can_close() the URBs are freed by calling\nusb_kill_anchored_urbs(parent-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in gs_can_close().\n\nFix the memory leak by anchoring the URB in the\ngs_usb_receive_bulk_callback() to the parent-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:09.276Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7"
},
{
"url": "https://git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9"
},
{
"url": "https://git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7"
},
{
"url": "https://git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603"
}
],
"title": "can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23031",
"datePublished": "2026-01-31T11:42:09.276Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-01-31T11:42:09.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23030 (GCVE-0-2026-23030)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
The for_each_available_child_of_node() calls of_node_put() to
release child_np in each success loop. After breaking from the
loop with the child_np has been released, the code will jump to
the put_child label and will call the of_node_put() again if the
devm_request_threaded_irq() fails. These cause a double free bug.
Fix by returning directly to avoid the duplicate of_node_put().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < ebae26dd15140b840cf65be5e1c0daee949ba70b
(git)
Affected: ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < 027d42b97e6eb827c3438ebc09bab7efaee9270d (git) Affected: ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5 (git) Affected: ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < e07dea3de508cd6950c937cec42de7603190e1ca (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/rockchip/phy-rockchip-inno-usb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ebae26dd15140b840cf65be5e1c0daee949ba70b",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
},
{
"lessThan": "027d42b97e6eb827c3438ebc09bab7efaee9270d",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
},
{
"lessThan": "efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
},
{
"lessThan": "e07dea3de508cd6950c937cec42de7603190e1ca",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/rockchip/phy-rockchip-inno-usb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()\n\nThe for_each_available_child_of_node() calls of_node_put() to\nrelease child_np in each success loop. After breaking from the\nloop with the child_np has been released, the code will jump to\nthe put_child label and will call the of_node_put() again if the\ndevm_request_threaded_irq() fails. These cause a double free bug.\n\nFix by returning directly to avoid the duplicate of_node_put()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:08.525Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b"
},
{
"url": "https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d"
},
{
"url": "https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5"
},
{
"url": "https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca"
}
],
"title": "phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23030",
"datePublished": "2026-01-31T11:42:08.525Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-01-31T11:42:08.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23029 (GCVE-0-2026-23029)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()
Summary
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()
In kvm_ioctl_create_device(), kvm_device has allocated memory,
kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but kvm_eiointc_destroy() is not currently doing this, that
would lead to a memory leak.
So, fix it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/loongarch/kvm/intc/eiointc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e94ec9661c5820d157d2cc4b6cf4a6ab656a7b4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d8553fc75aefa7ec936af0cf8443ff90b51732e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/loongarch/kvm/intc/eiointc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()\n\nIn kvm_ioctl_create_device(), kvm_device has allocated memory,\nkvm_device-\u003edestroy() seems to be supposed to free its kvm_device\nstruct, but kvm_eiointc_destroy() is not currently doing this, that\nwould lead to a memory leak.\n\nSo, fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:07.750Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e94ec9661c5820d157d2cc4b6cf4a6ab656a7b4d"
},
{
"url": "https://git.kernel.org/stable/c/7d8553fc75aefa7ec936af0cf8443ff90b51732e"
}
],
"title": "LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23029",
"datePublished": "2026-01-31T11:42:07.750Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-01-31T11:42:07.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23028 (GCVE-0-2026-23028)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()
Summary
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()
In kvm_ioctl_create_device(), kvm_device has allocated memory,
kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but kvm_ipi_destroy() is not currently doing this, that
would lead to a memory leak.
So, fix it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/loongarch/kvm/intc/ipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5defcc2f9c22e6e09b5be68234ad10f4ba0292b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0bf58cb7288a4d3de6d8ecbb3a65928a9362bf21",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/loongarch/kvm/intc/ipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()\n\nIn kvm_ioctl_create_device(), kvm_device has allocated memory,\nkvm_device-\u003edestroy() seems to be supposed to free its kvm_device\nstruct, but kvm_ipi_destroy() is not currently doing this, that\nwould lead to a memory leak.\n\nSo, fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:06.984Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5defcc2f9c22e6e09b5be68234ad10f4ba0292b7"
},
{
"url": "https://git.kernel.org/stable/c/0bf58cb7288a4d3de6d8ecbb3a65928a9362bf21"
}
],
"title": "LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23028",
"datePublished": "2026-01-31T11:42:06.984Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-01-31T11:42:06.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23027 (GCVE-0-2026-23027)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()
Summary
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()
In kvm_ioctl_create_device(), kvm_device has allocated memory,
kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but kvm_pch_pic_destroy() is not currently doing this, that
would lead to a memory leak.
So, fix it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/loongarch/kvm/intc/pch_pic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc53a66227af08d868face4b33fa8b2e1ba187ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cf342a7c3adc5877837b53bbceb5cc9eff60bbf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/loongarch/kvm/intc/pch_pic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()\n\nIn kvm_ioctl_create_device(), kvm_device has allocated memory,\nkvm_device-\u003edestroy() seems to be supposed to free its kvm_device\nstruct, but kvm_pch_pic_destroy() is not currently doing this, that\nwould lead to a memory leak.\n\nSo, fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:06.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc53a66227af08d868face4b33fa8b2e1ba187ed"
},
{
"url": "https://git.kernel.org/stable/c/1cf342a7c3adc5877837b53bbceb5cc9eff60bbf"
}
],
"title": "LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23027",
"datePublished": "2026-01-31T11:42:06.183Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-01-31T11:42:06.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23026 (GCVE-0-2026-23026)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Fix a memory leak in gpi_peripheral_config() where the original memory
pointed to by gchan->config could be lost if krealloc() fails.
The issue occurs when:
1. gchan->config points to previously allocated memory
2. krealloc() fails and returns NULL
3. The function directly assigns NULL to gchan->config, losing the
reference to the original memory
4. The original memory becomes unreachable and cannot be freed
Fix this by using a temporary variable to hold the krealloc() result
and only updating gchan->config when the allocation succeeds.
Found via static analysis and code review.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 6bf4ef078fd11910988889a6c0b3698d2e0c89af
(git)
Affected: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 01b1d781394fc9b83015e3a3cd46b17bda842bd8 (git) Affected: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85 (git) Affected: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 3f747004bbd641131d9396d87b5d2d3d1e182728 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/gpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6bf4ef078fd11910988889a6c0b3698d2e0c89af",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "01b1d781394fc9b83015e3a3cd46b17bda842bd8",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "3f747004bbd641131d9396d87b5d2d3d1e182728",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/gpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()\n\nFix a memory leak in gpi_peripheral_config() where the original memory\npointed to by gchan-\u003econfig could be lost if krealloc() fails.\n\nThe issue occurs when:\n1. gchan-\u003econfig points to previously allocated memory\n2. krealloc() fails and returns NULL\n3. The function directly assigns NULL to gchan-\u003econfig, losing the\n reference to the original memory\n4. The original memory becomes unreachable and cannot be freed\n\nFix this by using a temporary variable to hold the krealloc() result\nand only updating gchan-\u003econfig when the allocation succeeds.\n\nFound via static analysis and code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:05.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af"
},
{
"url": "https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8"
},
{
"url": "https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85"
},
{
"url": "https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728"
}
],
"title": "dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23026",
"datePublished": "2026-01-31T11:42:05.185Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-01-31T11:42:05.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23025 (GCVE-0-2026-23025)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
mm/page_alloc: prevent pcp corruption with SMP=n
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: prevent pcp corruption with SMP=n
The kernel test robot has reported:
BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28
lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0
CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470
Call Trace:
<IRQ>
__dump_stack (lib/dump_stack.c:95)
dump_stack_lvl (lib/dump_stack.c:123)
dump_stack (lib/dump_stack.c:130)
spin_dump (kernel/locking/spinlock_debug.c:71)
do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)
_raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)
__free_frozen_pages (mm/page_alloc.c:2973)
___free_pages (mm/page_alloc.c:5295)
__free_pages (mm/page_alloc.c:5334)
tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)
? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)
? rcu_core (kernel/rcu/tree.c:?)
rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)
rcu_core_si (kernel/rcu/tree.c:2879)
handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)
__irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)
irq_exit_rcu (kernel/softirq.c:741)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)
</IRQ>
<TASK>
RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
free_pcppages_bulk (mm/page_alloc.c:1494)
drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)
__drain_all_pages (mm/page_alloc.c:2731)
drain_all_pages (mm/page_alloc.c:2747)
kcompactd (mm/compaction.c:3115)
kthread (kernel/kthread.c:465)
? __cfi_kcompactd (mm/compaction.c:3166)
? __cfi_kthread (kernel/kthread.c:412)
ret_from_fork (arch/x86/kernel/process.c:164)
? __cfi_kthread (kernel/kthread.c:412)
ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
</TASK>
Matthew has analyzed the report and identified that in drain_page_zone()
we are in a section protected by spin_lock(&pcp->lock) and then get an
interrupt that attempts spin_trylock() on the same lock. The code is
designed to work this way without disabling IRQs and occasionally fail the
trylock with a fallback. However, the SMP=n spinlock implementation
assumes spin_trylock() will always succeed, and thus it's normally a
no-op. Here the enabled lock debugging catches the problem, but otherwise
it could cause a corruption of the pcp structure.
The problem has been introduced by commit 574907741599 ("mm/page_alloc:
leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme
recognizes the need for disabling IRQs to prevent nesting spin_trylock()
sections on SMP=n, but the need to prevent the nesting in spin_lock() has
not been recognized. Fix it by introducing local wrappers that change the
spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places
that do spin_lock(&pcp->lock).
[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5749077415994eb02d660b2559b9d8278521e73d , < 4a04ff9cd816e7346fcc8126f00ed80481f6569d
(git)
Affected: 5749077415994eb02d660b2559b9d8278521e73d , < df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6 (git) Affected: 5749077415994eb02d660b2559b9d8278521e73d , < 3098f8f7c7b0686c74827aec42a2c45e69801ff8 (git) Affected: 5749077415994eb02d660b2559b9d8278521e73d , < 038a102535eb49e10e93eafac54352fcc5d78847 (git) Affected: d1da921452b3ee7e07383c12955ab1c6f3b08752 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a04ff9cd816e7346fcc8126f00ed80481f6569d",
"status": "affected",
"version": "5749077415994eb02d660b2559b9d8278521e73d",
"versionType": "git"
},
{
"lessThan": "df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6",
"status": "affected",
"version": "5749077415994eb02d660b2559b9d8278521e73d",
"versionType": "git"
},
{
"lessThan": "3098f8f7c7b0686c74827aec42a2c45e69801ff8",
"status": "affected",
"version": "5749077415994eb02d660b2559b9d8278521e73d",
"versionType": "git"
},
{
"lessThan": "038a102535eb49e10e93eafac54352fcc5d78847",
"status": "affected",
"version": "5749077415994eb02d660b2559b9d8278521e73d",
"versionType": "git"
},
{
"status": "affected",
"version": "d1da921452b3ee7e07383c12955ab1c6f3b08752",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.57",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: prevent pcp corruption with SMP=n\n\nThe kernel test robot has reported:\n\n BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28\n lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0\n CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470\n Call Trace:\n \u003cIRQ\u003e\n __dump_stack (lib/dump_stack.c:95)\n dump_stack_lvl (lib/dump_stack.c:123)\n dump_stack (lib/dump_stack.c:130)\n spin_dump (kernel/locking/spinlock_debug.c:71)\n do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)\n _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)\n __free_frozen_pages (mm/page_alloc.c:2973)\n ___free_pages (mm/page_alloc.c:5295)\n __free_pages (mm/page_alloc.c:5334)\n tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)\n ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)\n ? rcu_core (kernel/rcu/tree.c:?)\n rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)\n rcu_core_si (kernel/rcu/tree.c:2879)\n handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)\n __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)\n irq_exit_rcu (kernel/softirq.c:741)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)\n free_pcppages_bulk (mm/page_alloc.c:1494)\n drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)\n __drain_all_pages (mm/page_alloc.c:2731)\n drain_all_pages (mm/page_alloc.c:2747)\n kcompactd (mm/compaction.c:3115)\n kthread (kernel/kthread.c:465)\n ? __cfi_kcompactd (mm/compaction.c:3166)\n ? __cfi_kthread (kernel/kthread.c:412)\n ret_from_fork (arch/x86/kernel/process.c:164)\n ? __cfi_kthread (kernel/kthread.c:412)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:255)\n \u003c/TASK\u003e\n\nMatthew has analyzed the report and identified that in drain_page_zone()\nwe are in a section protected by spin_lock(\u0026pcp-\u003elock) and then get an\ninterrupt that attempts spin_trylock() on the same lock. The code is\ndesigned to work this way without disabling IRQs and occasionally fail the\ntrylock with a fallback. However, the SMP=n spinlock implementation\nassumes spin_trylock() will always succeed, and thus it\u0027s normally a\nno-op. Here the enabled lock debugging catches the problem, but otherwise\nit could cause a corruption of the pcp structure.\n\nThe problem has been introduced by commit 574907741599 (\"mm/page_alloc:\nleave IRQs enabled for per-cpu page allocations\"). The pcp locking scheme\nrecognizes the need for disabling IRQs to prevent nesting spin_trylock()\nsections on SMP=n, but the need to prevent the nesting in spin_lock() has\nnot been recognized. Fix it by introducing local wrappers that change the\nspin_lock() to spin_lock_iqsave() with SMP=n and use them in all places\nthat do spin_lock(\u0026pcp-\u003elock).\n\n[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:04.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a04ff9cd816e7346fcc8126f00ed80481f6569d"
},
{
"url": "https://git.kernel.org/stable/c/df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6"
},
{
"url": "https://git.kernel.org/stable/c/3098f8f7c7b0686c74827aec42a2c45e69801ff8"
},
{
"url": "https://git.kernel.org/stable/c/038a102535eb49e10e93eafac54352fcc5d78847"
}
],
"title": "mm/page_alloc: prevent pcp corruption with SMP=n",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23025",
"datePublished": "2026-01-31T11:42:04.426Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-01-31T11:42:04.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71191 (GCVE-0-2025-71191)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
Make sure to drop the reference taken when looking up the DMA platform
device during of_dma_xlate() when releasing channel resources.
Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing
put_device() call in at_dma_xlate()") fixed the leak in a couple of
error paths but the reference is still leaking on successful allocation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < 987c71671367f42460689b78244d7b894c50999a
(git)
Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < 6a86cf2c09e149d5718a5b7090545f7566da9334 (git) Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < f3c23b7e941349505c3d40de2cc0acd93d9ac057 (git) Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < b9074b2d7a230b6e28caa23165e9d8bc0677d333 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/at_hdmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "987c71671367f42460689b78244d7b894c50999a",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "6a86cf2c09e149d5718a5b7090545f7566da9334",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "f3c23b7e941349505c3d40de2cc0acd93d9ac057",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "b9074b2d7a230b6e28caa23165e9d8bc0677d333",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/at_hdmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: at_hdmac: fix device leak on of_dma_xlate()\n\nMake sure to drop the reference taken when looking up the DMA platform\ndevice during of_dma_xlate() when releasing channel resources.\n\nNote that commit 3832b78b3ec2 (\"dmaengine: at_hdmac: add missing\nput_device() call in at_dma_xlate()\") fixed the leak in a couple of\nerror paths but the reference is still leaking on successful allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:03.545Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/987c71671367f42460689b78244d7b894c50999a"
},
{
"url": "https://git.kernel.org/stable/c/6a86cf2c09e149d5718a5b7090545f7566da9334"
},
{
"url": "https://git.kernel.org/stable/c/f3c23b7e941349505c3d40de2cc0acd93d9ac057"
},
{
"url": "https://git.kernel.org/stable/c/b9074b2d7a230b6e28caa23165e9d8bc0677d333"
}
],
"title": "dmaengine: at_hdmac: fix device leak on of_dma_xlate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71191",
"datePublished": "2026-01-31T11:42:03.545Z",
"dateReserved": "2026-01-31T11:36:51.189Z",
"dateUpdated": "2026-01-31T11:42:03.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71190 (GCVE-0-2025-71190)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
dmaengine: bcm-sba-raid: fix device leak on probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: bcm-sba-raid: fix device leak on probe
Make sure to drop the reference taken when looking up the mailbox device
during probe on probe failures and on driver unbind.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < c80ca7bdff158401440741bdcf9175bd8608580b
(git)
Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < db6f1d6d31711e73e6a214c73e6a8fb4cda0483d (git) Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < 2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b (git) Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < 7c3a46ebf15a9796b763a54272407fdbf945bed8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/bcm-sba-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c80ca7bdff158401440741bdcf9175bd8608580b",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "db6f1d6d31711e73e6a214c73e6a8fb4cda0483d",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "7c3a46ebf15a9796b763a54272407fdbf945bed8",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/bcm-sba-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: bcm-sba-raid: fix device leak on probe\n\nMake sure to drop the reference taken when looking up the mailbox device\nduring probe on probe failures and on driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:01.092Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c80ca7bdff158401440741bdcf9175bd8608580b"
},
{
"url": "https://git.kernel.org/stable/c/db6f1d6d31711e73e6a214c73e6a8fb4cda0483d"
},
{
"url": "https://git.kernel.org/stable/c/2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b"
},
{
"url": "https://git.kernel.org/stable/c/7c3a46ebf15a9796b763a54272407fdbf945bed8"
}
],
"title": "dmaengine: bcm-sba-raid: fix device leak on probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71190",
"datePublished": "2026-01-31T11:42:01.092Z",
"dateReserved": "2026-01-31T11:36:51.189Z",
"dateUpdated": "2026-01-31T11:42:01.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71189 (GCVE-0-2025-71189)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
dmaengine: dw: dmamux: fix OF node leak on route allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: dw: dmamux: fix OF node leak on route allocation failure
Make sure to drop the reference taken to the DMA master OF node also on
late route allocation failures.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
134d9c52fca26d2d199516e915da00f0cc6adc73 , < db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1
(git)
Affected: 134d9c52fca26d2d199516e915da00f0cc6adc73 , < 8f7a391211381ed2f6802032c78c7820d166bc49 (git) Affected: 134d9c52fca26d2d199516e915da00f0cc6adc73 , < eabe40f8a53c29f531e92778ea243e379f4f7978 (git) Affected: 134d9c52fca26d2d199516e915da00f0cc6adc73 , < ec25e60f9f95464aa11411db31d0906b3fb7b9f2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/dw/rzn1-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
},
{
"lessThan": "8f7a391211381ed2f6802032c78c7820d166bc49",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
},
{
"lessThan": "eabe40f8a53c29f531e92778ea243e379f4f7978",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
},
{
"lessThan": "ec25e60f9f95464aa11411db31d0906b3fb7b9f2",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/dw/rzn1-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw: dmamux: fix OF node leak on route allocation failure\n\nMake sure to drop the reference taken to the DMA master OF node also on\nlate route allocation failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:42:00.345Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1"
},
{
"url": "https://git.kernel.org/stable/c/8f7a391211381ed2f6802032c78c7820d166bc49"
},
{
"url": "https://git.kernel.org/stable/c/eabe40f8a53c29f531e92778ea243e379f4f7978"
},
{
"url": "https://git.kernel.org/stable/c/ec25e60f9f95464aa11411db31d0906b3fb7b9f2"
}
],
"title": "dmaengine: dw: dmamux: fix OF node leak on route allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71189",
"datePublished": "2026-01-31T11:42:00.345Z",
"dateReserved": "2026-01-31T11:36:51.188Z",
"dateUpdated": "2026-01-31T11:42:00.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71188 (GCVE-0-2025-71188)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:41 – Updated: 2026-01-31 11:41
VLAI?
Title
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e5f4ae84be7421010780984bdc121eac15997327 , < 9fba97baa520c9446df51a64708daf27c5a7ed32
(git)
Affected: e5f4ae84be7421010780984bdc121eac15997327 , < 992eb8055a6e5dbb808672d20d68e60d5a89b12b (git) Affected: e5f4ae84be7421010780984bdc121eac15997327 , < 1e47d80f6720f0224efd19bcf081d39637569c10 (git) Affected: e5f4ae84be7421010780984bdc121eac15997327 , < d4d63059dee7e7cae0c4d9a532ed558bc90efb55 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/lpc18xx-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fba97baa520c9446df51a64708daf27c5a7ed32",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "992eb8055a6e5dbb808672d20d68e60d5a89b12b",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "1e47d80f6720f0224efd19bcf081d39637569c10",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "d4d63059dee7e7cae0c4d9a532ed558bc90efb55",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/lpc18xx-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: lpc18xx-dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:41:59.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fba97baa520c9446df51a64708daf27c5a7ed32"
},
{
"url": "https://git.kernel.org/stable/c/992eb8055a6e5dbb808672d20d68e60d5a89b12b"
},
{
"url": "https://git.kernel.org/stable/c/1e47d80f6720f0224efd19bcf081d39637569c10"
},
{
"url": "https://git.kernel.org/stable/c/d4d63059dee7e7cae0c4d9a532ed558bc90efb55"
}
],
"title": "dmaengine: lpc18xx-dmamux: fix device leak on route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71188",
"datePublished": "2026-01-31T11:41:59.624Z",
"dateReserved": "2026-01-31T11:36:51.188Z",
"dateUpdated": "2026-01-31T11:41:59.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71187 (GCVE-0-2025-71187)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:41 – Updated: 2026-01-31 11:41
VLAI?
Title
dmaengine: sh: rz-dmac: fix device leak on probe failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: sh: rz-dmac: fix device leak on probe failure
Make sure to drop the reference taken when looking up the ICU device
during probe also on probe failures (e.g. probe deferral).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/sh/rz-dmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "926d1666420c227eab50962a8622c1b8444720e8",
"status": "affected",
"version": "7de873201c44bff5b42f2e560098d463843b8a4c",
"versionType": "git"
},
{
"lessThan": "9fb490323997dcb6f749cd2660a17a39854600cd",
"status": "affected",
"version": "7de873201c44bff5b42f2e560098d463843b8a4c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/sh/rz-dmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: sh: rz-dmac: fix device leak on probe failure\n\nMake sure to drop the reference taken when looking up the ICU device\nduring probe also on probe failures (e.g. probe deferral)."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:41:58.816Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/926d1666420c227eab50962a8622c1b8444720e8"
},
{
"url": "https://git.kernel.org/stable/c/9fb490323997dcb6f749cd2660a17a39854600cd"
}
],
"title": "dmaengine: sh: rz-dmac: fix device leak on probe failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71187",
"datePublished": "2026-01-31T11:41:58.816Z",
"dateReserved": "2026-01-31T11:36:51.188Z",
"dateUpdated": "2026-01-31T11:41:58.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71185 (GCVE-0-2025-71185)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:41 – Updated: 2026-01-31 11:41
VLAI?
Title
dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
Make sure to drop the reference taken when looking up the crossbar
platform device during am335x route allocation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < 6fdf168f57e331e148a1177a9b590a845c21b315
(git)
Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < f810132e825588fbad3cba940458c58bb7ec4d84 (git) Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < 30352277d8e09c972436f883a5efd1f1b763ac14 (git) Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < 4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/dma-crossbar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6fdf168f57e331e148a1177a9b590a845c21b315",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "f810132e825588fbad3cba940458c58bb7ec4d84",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "30352277d8e09c972436f883a5efd1f1b763ac14",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/dma-crossbar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: dma-crossbar: fix device leak on am335x route allocation\n\nMake sure to drop the reference taken when looking up the crossbar\nplatform device during am335x route allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:41:57.082Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6fdf168f57e331e148a1177a9b590a845c21b315"
},
{
"url": "https://git.kernel.org/stable/c/f810132e825588fbad3cba940458c58bb7ec4d84"
},
{
"url": "https://git.kernel.org/stable/c/30352277d8e09c972436f883a5efd1f1b763ac14"
},
{
"url": "https://git.kernel.org/stable/c/4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9"
}
],
"title": "dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71185",
"datePublished": "2026-01-31T11:41:57.082Z",
"dateReserved": "2026-01-31T11:36:51.187Z",
"dateUpdated": "2026-01-31T11:41:57.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71186 (GCVE-0-2025-71186)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:41 – Updated: 2026-01-31 11:41
VLAI?
Title
dmaengine: stm32: dmamux: fix device leak on route allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: stm32: dmamux: fix device leak on route allocation
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 1a179ac01ff3993ab97e33cc77c316ed7415cda1
(git)
Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 2fb10259d4efb4367787b5ae9c94192e8a91c648 (git) Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 3ef52d31cce8ba816739085a61efe07b63c6cf27 (git) Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < dd6e4943889fb354efa3f700e42739da9bddb6ef (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/stm32/stm32-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a179ac01ff3993ab97e33cc77c316ed7415cda1",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "2fb10259d4efb4367787b5ae9c94192e8a91c648",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "3ef52d31cce8ba816739085a61efe07b63c6cf27",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "dd6e4943889fb354efa3f700e42739da9bddb6ef",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/stm32/stm32-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc6",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: stm32: dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:41:57.921Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a179ac01ff3993ab97e33cc77c316ed7415cda1"
},
{
"url": "https://git.kernel.org/stable/c/2fb10259d4efb4367787b5ae9c94192e8a91c648"
},
{
"url": "https://git.kernel.org/stable/c/3ef52d31cce8ba816739085a61efe07b63c6cf27"
},
{
"url": "https://git.kernel.org/stable/c/dd6e4943889fb354efa3f700e42739da9bddb6ef"
}
],
"title": "dmaengine: stm32: dmamux: fix device leak on route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71186",
"datePublished": "2026-01-31T11:41:57.921Z",
"dateReserved": "2026-01-31T11:36:51.187Z",
"dateUpdated": "2026-01-31T11:41:57.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23024 (GCVE-0-2026-23024)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
idpf: fix memory leak of flow steer list on rmmod
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix memory leak of flow steer list on rmmod
The flow steering list maintains entries that are added and removed as
ethtool creates and deletes flow steering rules. Module removal with active
entries causes memory leak as the list is not properly cleaned up.
Prevent this by iterating through the remaining entries in the list and
freeing the associated memory during module removal. Add a spinlock
(flow_steer_list_lock) to protect the list access from multiple threads.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf.h",
"drivers/net/ethernet/intel/idpf/idpf_ethtool.c",
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1aedff70a5e97628eaaf17b169774cb6a45a1dc5",
"status": "affected",
"version": "ada3e24b84a097b27a823f1ad98e5b2e8c979689",
"versionType": "git"
},
{
"lessThan": "f9841bd28b600526ca4f6713b0ca49bf7bb98452",
"status": "affected",
"version": "ada3e24b84a097b27a823f1ad98e5b2e8c979689",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf.h",
"drivers/net/ethernet/intel/idpf/idpf_ethtool.c",
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc5",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix memory leak of flow steer list on rmmod\n\nThe flow steering list maintains entries that are added and removed as\nethtool creates and deletes flow steering rules. Module removal with active\nentries causes memory leak as the list is not properly cleaned up.\n\nPrevent this by iterating through the remaining entries in the list and\nfreeing the associated memory during module removal. Add a spinlock\n(flow_steer_list_lock) to protect the list access from multiple threads."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:39:07.604Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1aedff70a5e97628eaaf17b169774cb6a45a1dc5"
},
{
"url": "https://git.kernel.org/stable/c/f9841bd28b600526ca4f6713b0ca49bf7bb98452"
}
],
"title": "idpf: fix memory leak of flow steer list on rmmod",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23024",
"datePublished": "2026-01-31T11:39:07.604Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-01-31T11:39:07.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23023 (GCVE-0-2026-23023)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
idpf: fix memory leak in idpf_vport_rel()
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix memory leak in idpf_vport_rel()
Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory
during a reset. Reported by kmemleak:
unreferenced object 0xff450acac838a000 (size 4096):
comm "kworker/u258:5", pid 7732, jiffies 4296830044
hex dump (first 32 bytes):
00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................
backtrace (crc 3da81902):
__kmalloc_cache_noprof+0x469/0x7a0
idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf]
idpf_init_task+0x1ec/0x8d0 [idpf]
process_one_work+0x226/0x6d0
worker_thread+0x19e/0x340
kthread+0x10f/0x250
ret_from_fork+0x251/0x2b0
ret_from_fork_asm+0x1a/0x30
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < a4212d6732e3f674c6cc7d0b642f276d827e8f94
(git)
Affected: 0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < ec602a2a4071eb956d656ba968c58fee09f0622d (git) Affected: 0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < f6242b354605faff263ca45882b148200915a3f6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4212d6732e3f674c6cc7d0b642f276d827e8f94",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "ec602a2a4071eb956d656ba968c58fee09f0622d",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "f6242b354605faff263ca45882b148200915a3f6",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc5",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix memory leak in idpf_vport_rel()\n\nFree vport-\u003erx_ptype_lkup in idpf_vport_rel() to avoid leaking memory\nduring a reset. Reported by kmemleak:\n\nunreferenced object 0xff450acac838a000 (size 4096):\n comm \"kworker/u258:5\", pid 7732, jiffies 4296830044\n hex dump (first 32 bytes):\n 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................\n backtrace (crc 3da81902):\n __kmalloc_cache_noprof+0x469/0x7a0\n idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf]\n idpf_init_task+0x1ec/0x8d0 [idpf]\n process_one_work+0x226/0x6d0\n worker_thread+0x19e/0x340\n kthread+0x10f/0x250\n ret_from_fork+0x251/0x2b0\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:39:06.718Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4212d6732e3f674c6cc7d0b642f276d827e8f94"
},
{
"url": "https://git.kernel.org/stable/c/ec602a2a4071eb956d656ba968c58fee09f0622d"
},
{
"url": "https://git.kernel.org/stable/c/f6242b354605faff263ca45882b148200915a3f6"
}
],
"title": "idpf: fix memory leak in idpf_vport_rel()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23023",
"datePublished": "2026-01-31T11:39:06.718Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-01-31T11:39:06.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23022 (GCVE-0-2026-23022)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
idpf: fix memory leak in idpf_vc_core_deinit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix memory leak in idpf_vc_core_deinit()
Make sure to free hw->lan_regs. Reported by kmemleak during reset:
unreferenced object 0xff1b913d02a936c0 (size 96):
comm "kworker/u258:14", pid 2174, jiffies 4294958305
hex dump (first 32 bytes):
00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ......-.........
00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@.......%...-.
backtrace (crc 36063c4f):
__kmalloc_noprof+0x48f/0x890
idpf_vc_core_init+0x6ce/0x9b0 [idpf]
idpf_vc_event_task+0x1fb/0x350 [idpf]
process_one_work+0x226/0x6d0
worker_thread+0x19e/0x340
kthread+0x10f/0x250
ret_from_fork+0x251/0x2b0
ret_from_fork_asm+0x1a/0x30
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_virtchnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23391db8a00c23854915b8b72ec1aa10080aa540",
"status": "affected",
"version": "6aa53e861c1a0c042690c9b7c5c153088ae61079",
"versionType": "git"
},
{
"lessThan": "e111cbc4adf9f9974eed040aeece7e17460f6bff",
"status": "affected",
"version": "6aa53e861c1a0c042690c9b7c5c153088ae61079",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_virtchnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc5",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix memory leak in idpf_vc_core_deinit()\n\nMake sure to free hw-\u003elan_regs. Reported by kmemleak during reset:\n\nunreferenced object 0xff1b913d02a936c0 (size 96):\n comm \"kworker/u258:14\", pid 2174, jiffies 4294958305\n hex dump (first 32 bytes):\n 00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ......-.........\n 00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@.......%...-.\n backtrace (crc 36063c4f):\n __kmalloc_noprof+0x48f/0x890\n idpf_vc_core_init+0x6ce/0x9b0 [idpf]\n idpf_vc_event_task+0x1fb/0x350 [idpf]\n process_one_work+0x226/0x6d0\n worker_thread+0x19e/0x340\n kthread+0x10f/0x250\n ret_from_fork+0x251/0x2b0\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:39:05.973Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23391db8a00c23854915b8b72ec1aa10080aa540"
},
{
"url": "https://git.kernel.org/stable/c/e111cbc4adf9f9974eed040aeece7e17460f6bff"
}
],
"title": "idpf: fix memory leak in idpf_vc_core_deinit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23022",
"datePublished": "2026-01-31T11:39:05.973Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-01-31T11:39:05.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23021 (GCVE-0-2026-23021)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
net: usb: pegasus: fix memory leak in update_eth_regs_async()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: pegasus: fix memory leak in update_eth_regs_async()
When asynchronously writing to the device registers and if usb_submit_urb()
fail, the code fail to release allocated to this point resources.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
323b34963d113efb566635f43858f40cce01d5f9 , < 5397ea6d21c35a17707e201a60761bdee00bcc4e
(git)
Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < a40af9a2904a1ab8ce61866ebe2a894ef30754ba (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < ac5d92d2826dec51e5d4c6854865bc5817277452 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < 93f18eaa190374e0f2d253e3b1a65cee19a7abe6 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < 471dfb97599eec74e0476046b3ef8e7037f27b34 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < ce6eef731aba23a988decea1df3b08cf978f7b01 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < afa27621a28af317523e0836dad430bec551eb54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5397ea6d21c35a17707e201a60761bdee00bcc4e",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "a40af9a2904a1ab8ce61866ebe2a894ef30754ba",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "ac5d92d2826dec51e5d4c6854865bc5817277452",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "93f18eaa190374e0f2d253e3b1a65cee19a7abe6",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "471dfb97599eec74e0476046b3ef8e7037f27b34",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "ce6eef731aba23a988decea1df3b08cf978f7b01",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "afa27621a28af317523e0836dad430bec551eb54",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc5",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: fix memory leak in update_eth_regs_async()\n\nWhen asynchronously writing to the device registers and if usb_submit_urb()\nfail, the code fail to release allocated to this point resources."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:39:05.152Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5397ea6d21c35a17707e201a60761bdee00bcc4e"
},
{
"url": "https://git.kernel.org/stable/c/a40af9a2904a1ab8ce61866ebe2a894ef30754ba"
},
{
"url": "https://git.kernel.org/stable/c/ac5d92d2826dec51e5d4c6854865bc5817277452"
},
{
"url": "https://git.kernel.org/stable/c/93f18eaa190374e0f2d253e3b1a65cee19a7abe6"
},
{
"url": "https://git.kernel.org/stable/c/471dfb97599eec74e0476046b3ef8e7037f27b34"
},
{
"url": "https://git.kernel.org/stable/c/ce6eef731aba23a988decea1df3b08cf978f7b01"
},
{
"url": "https://git.kernel.org/stable/c/afa27621a28af317523e0836dad430bec551eb54"
}
],
"title": "net: usb: pegasus: fix memory leak in update_eth_regs_async()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23021",
"datePublished": "2026-01-31T11:39:05.152Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-01-31T11:39:05.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23020 (GCVE-0-2026-23020)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
pdev can be null and free_ring: can be called in 1297 with a null
pdev.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55c82617c3e82210b7471e9334e8fc5df6a9961f , < 053ac9e37eee435e999277c0f1ef890dad6064bf
(git)
Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 606872c8e8bf96066730f6a2317502c5633c37f1 (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 28b2a805609699be7b90020ae7dccfb234be1ceb (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 2f05f7737e16d9a40038cc1c38a96a3f7964898b (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7 (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < a4e305ed60f7c41bbf9aabc16dd75267194e0de3 (git) Affected: d30fdc02c49ad9965bba25015ae66c22dae967d1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/3com/3c59x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "053ac9e37eee435e999277c0f1ef890dad6064bf",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "606872c8e8bf96066730f6a2317502c5633c37f1",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "28b2a805609699be7b90020ae7dccfb234be1ceb",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "2f05f7737e16d9a40038cc1c38a96a3f7964898b",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "a4e305ed60f7c41bbf9aabc16dd75267194e0de3",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"status": "affected",
"version": "d30fdc02c49ad9965bba25015ae66c22dae967d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/3com/3c59x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc5",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: 3com: 3c59x: fix possible null dereference in vortex_probe1()\n\npdev can be null and free_ring: can be called in 1297 with a null\npdev."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:39:04.023Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/053ac9e37eee435e999277c0f1ef890dad6064bf"
},
{
"url": "https://git.kernel.org/stable/c/6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d"
},
{
"url": "https://git.kernel.org/stable/c/606872c8e8bf96066730f6a2317502c5633c37f1"
},
{
"url": "https://git.kernel.org/stable/c/28b2a805609699be7b90020ae7dccfb234be1ceb"
},
{
"url": "https://git.kernel.org/stable/c/2f05f7737e16d9a40038cc1c38a96a3f7964898b"
},
{
"url": "https://git.kernel.org/stable/c/d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7"
},
{
"url": "https://git.kernel.org/stable/c/a4e305ed60f7c41bbf9aabc16dd75267194e0de3"
}
],
"title": "net: 3com: 3c59x: fix possible null dereference in vortex_probe1()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23020",
"datePublished": "2026-01-31T11:39:04.023Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-01-31T11:39:04.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23019 (GCVE-0-2026-23019)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
devlink_alloc() may return NULL on allocation failure, but
prestera_devlink_alloc() unconditionally calls devlink_priv() on
the returned pointer.
This leads to a NULL pointer dereference if devlink allocation fails.
Add a check for a NULL devlink pointer and return NULL early to avoid
the crash.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 8a4333b2818f0d853b43e139936c20659366e4a0
(git)
Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 325aea74be7e192b5c947c782da23b0d19a5fda2 (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 94e070cd50790317fba7787ae6006934b7edcb6f (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 3950054c9512add0cc79ab7e72b6d2f9f675e25b (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 326a4b7e61d01db3507f71c8bb5e85362f607064 (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < a428e0da1248c353557970848994f35fd3f005e2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a4333b2818f0d853b43e139936c20659366e4a0",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "325aea74be7e192b5c947c782da23b0d19a5fda2",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "94e070cd50790317fba7787ae6006934b7edcb6f",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "3950054c9512add0cc79ab7e72b6d2f9f675e25b",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "326a4b7e61d01db3507f71c8bb5e85362f607064",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "a428e0da1248c353557970848994f35fd3f005e2",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc5",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix NULL dereference on devlink_alloc() failure\n\ndevlink_alloc() may return NULL on allocation failure, but\nprestera_devlink_alloc() unconditionally calls devlink_priv() on\nthe returned pointer.\n\nThis leads to a NULL pointer dereference if devlink allocation fails.\nAdd a check for a NULL devlink pointer and return NULL early to avoid\nthe crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:39:03.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a4333b2818f0d853b43e139936c20659366e4a0"
},
{
"url": "https://git.kernel.org/stable/c/325aea74be7e192b5c947c782da23b0d19a5fda2"
},
{
"url": "https://git.kernel.org/stable/c/94e070cd50790317fba7787ae6006934b7edcb6f"
},
{
"url": "https://git.kernel.org/stable/c/3950054c9512add0cc79ab7e72b6d2f9f675e25b"
},
{
"url": "https://git.kernel.org/stable/c/326a4b7e61d01db3507f71c8bb5e85362f607064"
},
{
"url": "https://git.kernel.org/stable/c/a428e0da1248c353557970848994f35fd3f005e2"
}
],
"title": "net: marvell: prestera: fix NULL dereference on devlink_alloc() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23019",
"datePublished": "2026-01-31T11:39:03.179Z",
"dateReserved": "2026-01-13T15:37:45.940Z",
"dateUpdated": "2026-01-31T11:39:03.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23018 (GCVE-0-2026-23018)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
btrfs: release path before initializing extent tree in btrfs_read_locked_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: release path before initializing extent tree in btrfs_read_locked_inode()
In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()
while holding a path with a read locked leaf from a subvolume tree, and
btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can
trigger reclaim.
This can create a circular lock dependency which lockdep warns about with
the following splat:
[6.1433] ======================================================
[6.1574] WARNING: possible circular locking dependency detected
[6.1583] 6.18.0+ #4 Tainted: G U
[6.1591] ------------------------------------------------------
[6.1599] kswapd0/117 is trying to acquire lock:
[6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1625]
but task is already holding lock:
[6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60
[6.1646]
which lock already depends on the new lock.
[6.1657]
the existing dependency chain (in reverse order) is:
[6.1667]
-> #2 (fs_reclaim){+.+.}-{0:0}:
[6.1677] fs_reclaim_acquire+0x9d/0xd0
[6.1685] __kmalloc_cache_noprof+0x59/0x750
[6.1694] btrfs_init_file_extent_tree+0x90/0x100
[6.1702] btrfs_read_locked_inode+0xc3/0x6b0
[6.1710] btrfs_iget+0xbb/0xf0
[6.1716] btrfs_lookup_dentry+0x3c5/0x8e0
[6.1724] btrfs_lookup+0x12/0x30
[6.1731] lookup_open.isra.0+0x1aa/0x6a0
[6.1739] path_openat+0x5f7/0xc60
[6.1746] do_filp_open+0xd6/0x180
[6.1753] do_sys_openat2+0x8b/0xe0
[6.1760] __x64_sys_openat+0x54/0xa0
[6.1768] do_syscall_64+0x97/0x3e0
[6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[6.1784]
-> #1 (btrfs-tree-00){++++}-{3:3}:
[6.1794] lock_release+0x127/0x2a0
[6.1801] up_read+0x1b/0x30
[6.1808] btrfs_search_slot+0x8e0/0xff0
[6.1817] btrfs_lookup_inode+0x52/0xd0
[6.1825] __btrfs_update_delayed_inode+0x73/0x520
[6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120
[6.1842] btrfs_log_inode+0x608/0x1aa0
[6.1849] btrfs_log_inode_parent+0x249/0xf80
[6.1857] btrfs_log_dentry_safe+0x3e/0x60
[6.1865] btrfs_sync_file+0x431/0x690
[6.1872] do_fsync+0x39/0x80
[6.1879] __x64_sys_fsync+0x13/0x20
[6.1887] do_syscall_64+0x97/0x3e0
[6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[6.1903]
-> #0 (&delayed_node->mutex){+.+.}-{3:3}:
[6.1913] __lock_acquire+0x15e9/0x2820
[6.1920] lock_acquire+0xc9/0x2d0
[6.1927] __mutex_lock+0xcc/0x10a0
[6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1944] btrfs_evict_inode+0x20b/0x4b0
[6.1952] evict+0x15a/0x2f0
[6.1958] prune_icache_sb+0x91/0xd0
[6.1966] super_cache_scan+0x150/0x1d0
[6.1974] do_shrink_slab+0x155/0x6f0
[6.1981] shrink_slab+0x48e/0x890
[6.1988] shrink_one+0x11a/0x1f0
[6.1995] shrink_node+0xbfd/0x1320
[6.1002] balance_pgdat+0x67f/0xc60
[6.1321] kswapd+0x1dc/0x3e0
[6.1643] kthread+0xff/0x240
[6.1965] ret_from_fork+0x223/0x280
[6.1287] ret_from_fork_asm+0x1a/0x30
[6.1616]
other info that might help us debug this:
[6.1561] Chain exists of:
&delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim
[6.1503] Possible unsafe locking scenario:
[6.1110] CPU0 CPU1
[6.1411] ---- ----
[6.1707] lock(fs_reclaim);
[6.1998] lock(btrfs-tree-00);
[6.1291] lock(fs_reclaim);
[6.1581] lock(&del
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92a5590851144f034adc51fee55e6878ccac716e",
"status": "affected",
"version": "8679d2687c351824d08cf1f0e86f3b65f22a00fe",
"versionType": "git"
},
{
"lessThan": "8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347",
"status": "affected",
"version": "8679d2687c351824d08cf1f0e86f3b65f22a00fe",
"versionType": "git"
},
{
"status": "affected",
"version": "e8f496001e0c7832d188ab91fea294e19a128202",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc5",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\nwhile holding a path with a read locked leaf from a subvolume tree, and\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\ntrigger reclaim.\n\nThis can create a circular lock dependency which lockdep warns about with\nthe following splat:\n\n [6.1433] ======================================================\n [6.1574] WARNING: possible circular locking dependency detected\n [6.1583] 6.18.0+ #4 Tainted: G U\n [6.1591] ------------------------------------------------------\n [6.1599] kswapd0/117 is trying to acquire lock:\n [6.1606] ffff8d9b6333c5b8 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1625]\n but task is already holding lock:\n [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\n [6.1646]\n which lock already depends on the new lock.\n\n [6.1657]\n the existing dependency chain (in reverse order) is:\n [6.1667]\n -\u003e #2 (fs_reclaim){+.+.}-{0:0}:\n [6.1677] fs_reclaim_acquire+0x9d/0xd0\n [6.1685] __kmalloc_cache_noprof+0x59/0x750\n [6.1694] btrfs_init_file_extent_tree+0x90/0x100\n [6.1702] btrfs_read_locked_inode+0xc3/0x6b0\n [6.1710] btrfs_iget+0xbb/0xf0\n [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0\n [6.1724] btrfs_lookup+0x12/0x30\n [6.1731] lookup_open.isra.0+0x1aa/0x6a0\n [6.1739] path_openat+0x5f7/0xc60\n [6.1746] do_filp_open+0xd6/0x180\n [6.1753] do_sys_openat2+0x8b/0xe0\n [6.1760] __x64_sys_openat+0x54/0xa0\n [6.1768] do_syscall_64+0x97/0x3e0\n [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1784]\n -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n [6.1794] lock_release+0x127/0x2a0\n [6.1801] up_read+0x1b/0x30\n [6.1808] btrfs_search_slot+0x8e0/0xff0\n [6.1817] btrfs_lookup_inode+0x52/0xd0\n [6.1825] __btrfs_update_delayed_inode+0x73/0x520\n [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120\n [6.1842] btrfs_log_inode+0x608/0x1aa0\n [6.1849] btrfs_log_inode_parent+0x249/0xf80\n [6.1857] btrfs_log_dentry_safe+0x3e/0x60\n [6.1865] btrfs_sync_file+0x431/0x690\n [6.1872] do_fsync+0x39/0x80\n [6.1879] __x64_sys_fsync+0x13/0x20\n [6.1887] do_syscall_64+0x97/0x3e0\n [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1903]\n -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\n [6.1913] __lock_acquire+0x15e9/0x2820\n [6.1920] lock_acquire+0xc9/0x2d0\n [6.1927] __mutex_lock+0xcc/0x10a0\n [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1944] btrfs_evict_inode+0x20b/0x4b0\n [6.1952] evict+0x15a/0x2f0\n [6.1958] prune_icache_sb+0x91/0xd0\n [6.1966] super_cache_scan+0x150/0x1d0\n [6.1974] do_shrink_slab+0x155/0x6f0\n [6.1981] shrink_slab+0x48e/0x890\n [6.1988] shrink_one+0x11a/0x1f0\n [6.1995] shrink_node+0xbfd/0x1320\n [6.1002] balance_pgdat+0x67f/0xc60\n [6.1321] kswapd+0x1dc/0x3e0\n [6.1643] kthread+0xff/0x240\n [6.1965] ret_from_fork+0x223/0x280\n [6.1287] ret_from_fork_asm+0x1a/0x30\n [6.1616]\n other info that might help us debug this:\n\n [6.1561] Chain exists of:\n \u0026delayed_node-\u003emutex --\u003e btrfs-tree-00 --\u003e fs_reclaim\n\n [6.1503] Possible unsafe locking scenario:\n\n [6.1110] CPU0 CPU1\n [6.1411] ---- ----\n [6.1707] lock(fs_reclaim);\n [6.1998] lock(btrfs-tree-00);\n [6.1291] lock(fs_reclaim);\n [6.1581] lock(\u0026del\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:39:02.330Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e"
},
{
"url": "https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347"
}
],
"title": "btrfs: release path before initializing extent tree in btrfs_read_locked_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23018",
"datePublished": "2026-01-31T11:39:02.330Z",
"dateReserved": "2026-01-13T15:37:45.940Z",
"dateUpdated": "2026-01-31T11:39:02.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23017 (GCVE-0-2026-23017)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
idpf: fix error handling in the init_task on load
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix error handling in the init_task on load
If the init_task fails during a driver load, we end up without vports and
netdevs, effectively failing the entire process. In that state a
subsequent reset will result in a crash as the service task attempts to
access uninitialized resources. Following trace is from an error in the
init_task where the CREATE_VPORT (op 501) is rejected by the FW:
[40922.763136] idpf 0000:83:00.0: Device HW Reset initiated
[40924.449797] idpf 0000:83:00.0: Transaction failed (op 501)
[40958.148190] idpf 0000:83:00.0: HW reset detected
[40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8
...
[40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf]
[40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf]
...
[40958.177932] Call Trace:
[40958.178491] <TASK>
[40958.179040] process_one_work+0x226/0x6d0
[40958.179609] worker_thread+0x19e/0x340
[40958.180158] ? __pfx_worker_thread+0x10/0x10
[40958.180702] kthread+0x10f/0x250
[40958.181238] ? __pfx_kthread+0x10/0x10
[40958.181774] ret_from_fork+0x251/0x2b0
[40958.182307] ? __pfx_kthread+0x10/0x10
[40958.182834] ret_from_fork_asm+0x1a/0x30
[40958.183370] </TASK>
Fix the error handling in the init_task to make sure the service and
mailbox tasks are disabled if the error happens during load. These are
started in idpf_vc_core_init(), which spawns the init_task and has no way
of knowing if it failed. If the error happens on reset, following
successful driver load, the tasks can still run, as that will allow the
netdevs to attempt recovery through another reset. Stop the PTP callbacks
either way as those will be restarted by the call to idpf_vc_core_init()
during a successful reset.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a514c374edcd33581cdcccf8faa7cc606a600319",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "4d792219fe6f891b5b557a607ac8a0a14eda6e38",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc5",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix error handling in the init_task on load\n\nIf the init_task fails during a driver load, we end up without vports and\nnetdevs, effectively failing the entire process. In that state a\nsubsequent reset will result in a crash as the service task attempts to\naccess uninitialized resources. Following trace is from an error in the\ninit_task where the CREATE_VPORT (op 501) is rejected by the FW:\n\n[40922.763136] idpf 0000:83:00.0: Device HW Reset initiated\n[40924.449797] idpf 0000:83:00.0: Transaction failed (op 501)\n[40958.148190] idpf 0000:83:00.0: HW reset detected\n[40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8\n...\n[40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf]\n[40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf]\n...\n[40958.177932] Call Trace:\n[40958.178491] \u003cTASK\u003e\n[40958.179040] process_one_work+0x226/0x6d0\n[40958.179609] worker_thread+0x19e/0x340\n[40958.180158] ? __pfx_worker_thread+0x10/0x10\n[40958.180702] kthread+0x10f/0x250\n[40958.181238] ? __pfx_kthread+0x10/0x10\n[40958.181774] ret_from_fork+0x251/0x2b0\n[40958.182307] ? __pfx_kthread+0x10/0x10\n[40958.182834] ret_from_fork_asm+0x1a/0x30\n[40958.183370] \u003c/TASK\u003e\n\nFix the error handling in the init_task to make sure the service and\nmailbox tasks are disabled if the error happens during load. These are\nstarted in idpf_vc_core_init(), which spawns the init_task and has no way\nof knowing if it failed. If the error happens on reset, following\nsuccessful driver load, the tasks can still run, as that will allow the\nnetdevs to attempt recovery through another reset. Stop the PTP callbacks\neither way as those will be restarted by the call to idpf_vc_core_init()\nduring a successful reset."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T11:39:01.204Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a514c374edcd33581cdcccf8faa7cc606a600319"
},
{
"url": "https://git.kernel.org/stable/c/4d792219fe6f891b5b557a607ac8a0a14eda6e38"
}
],
"title": "idpf: fix error handling in the init_task on load",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23017",
"datePublished": "2026-01-31T11:39:01.204Z",
"dateReserved": "2026-01-13T15:37:45.940Z",
"dateUpdated": "2026-01-31T11:39:01.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}