Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0699
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un contournement de la politique de sécurité et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 9 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian 9 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 9.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian 8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems 8 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - TUS 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 8 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 9 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 8 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems 9 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 9 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-38380",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38380"
},
{
"name": "CVE-2022-50020",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50020"
},
{
"name": "CVE-2024-57980",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57980"
},
{
"name": "CVE-2025-21727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21727"
},
{
"name": "CVE-2025-38159",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38159"
},
{
"name": "CVE-2025-38086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38086"
},
{
"name": "CVE-2025-38079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38079"
},
{
"name": "CVE-2021-47670",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47670"
},
{
"name": "CVE-2025-38292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38292"
},
{
"name": "CVE-2025-38085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38085"
},
{
"name": "CVE-2025-21928",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21928"
},
{
"name": "CVE-2022-50022",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50022"
},
{
"name": "CVE-2024-58002",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58002"
},
{
"name": "CVE-2025-38052",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38052"
},
{
"name": "CVE-2022-49788",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49788"
},
{
"name": "CVE-2025-21919",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21919"
},
{
"name": "CVE-2025-21759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21759"
},
{
"name": "CVE-2025-23150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23150"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0699",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-08-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un contournement de la politique de s\u00e9curit\u00e9 et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2025-08-11",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:13589",
"url": "https://access.redhat.com/errata/RHSA-2025:13589"
},
{
"published_at": "2025-08-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:13805",
"url": "https://access.redhat.com/errata/RHSA-2025:13805"
},
{
"published_at": "2025-08-11",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:13602",
"url": "https://access.redhat.com/errata/RHSA-2025:13602"
},
{
"published_at": "2025-08-11",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:13590",
"url": "https://access.redhat.com/errata/RHSA-2025:13590"
},
{
"published_at": "2025-08-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:13776",
"url": "https://access.redhat.com/errata/RHSA-2025:13776"
}
]
}
CVE-2021-47670 (GCVE-0-2021-47670)
Vulnerability from cvelistv5 – Published: 2025-04-17 18:01 – Updated: 2026-05-11 13:58
VLAI
EPSS
Title
can: peak_usb: fix use after free bugs
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: peak_usb: fix use after free bugs
After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the peak_usb_netif_rx_ni().
Reordering the lines solves the issue.
Severity
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0a25e1f4f18566b750ebd3ae995af64e23111e63 , < 5408824636fa0dfedb9ecb0d94abd573131bfbbe
(git)
Affected: 0a25e1f4f18566b750ebd3ae995af64e23111e63 , < ddd1416f44130377798c1430b76503513b7497c2 (git) Affected: 0a25e1f4f18566b750ebd3ae995af64e23111e63 , < ec939c13c3fff2114479769c8380b7f1a54feca9 (git) Affected: 0a25e1f4f18566b750ebd3ae995af64e23111e63 , < 50aca891d7a554db0901b245167cd653d73aaa71 (git) |
|
| Linux | Linux |
Affected:
4.0
Unaffected: 0 , < 4.0 (semver) Unaffected: 4.19.171 , ≤ 4.19.* (semver) Unaffected: 5.4.93 , ≤ 5.4.* (semver) Unaffected: 5.10.11 , ≤ 5.10.* (semver) Unaffected: 5.11 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T18:17:46.529671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T18:25:25.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/peak_usb/pcan_usb_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5408824636fa0dfedb9ecb0d94abd573131bfbbe",
"status": "affected",
"version": "0a25e1f4f18566b750ebd3ae995af64e23111e63",
"versionType": "git"
},
{
"lessThan": "ddd1416f44130377798c1430b76503513b7497c2",
"status": "affected",
"version": "0a25e1f4f18566b750ebd3ae995af64e23111e63",
"versionType": "git"
},
{
"lessThan": "ec939c13c3fff2114479769c8380b7f1a54feca9",
"status": "affected",
"version": "0a25e1f4f18566b750ebd3ae995af64e23111e63",
"versionType": "git"
},
{
"lessThan": "50aca891d7a554db0901b245167cd653d73aaa71",
"status": "affected",
"version": "0a25e1f4f18566b750ebd3ae995af64e23111e63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/peak_usb/pcan_usb_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.171",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.93",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.11",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: peak_usb: fix use after free bugs\n\nAfter calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe.\nEspecially, the can_frame cf which aliases skb memory is accessed\nafter the peak_usb_netif_rx_ni().\n\nReordering the lines solves the issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:58:55.028Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5408824636fa0dfedb9ecb0d94abd573131bfbbe"
},
{
"url": "https://git.kernel.org/stable/c/ddd1416f44130377798c1430b76503513b7497c2"
},
{
"url": "https://git.kernel.org/stable/c/ec939c13c3fff2114479769c8380b7f1a54feca9"
},
{
"url": "https://git.kernel.org/stable/c/50aca891d7a554db0901b245167cd653d73aaa71"
}
],
"title": "can: peak_usb: fix use after free bugs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47670",
"datePublished": "2025-04-17T18:01:30.722Z",
"dateReserved": "2025-04-16T07:16:05.752Z",
"dateUpdated": "2026-05-11T13:58:55.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49788 (GCVE-0-2022-49788)
Vulnerability from cvelistv5 – Published: 2025-05-01 14:09 – Updated: 2026-05-11 19:06
VLAI
EPSS
Title
misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()
`struct vmci_event_qp` allocated by qp_notify_peer() contains padding,
which may carry uninitialized data to the userspace, as observed by
KMSAN:
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121
instrument_copy_to_user ./include/linux/instrumented.h:121
_copy_to_user+0x5f/0xb0 lib/usercopy.c:33
copy_to_user ./include/linux/uaccess.h:169
vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431
vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925
vfs_ioctl fs/ioctl.c:51
...
Uninit was stored to memory at:
kmemdup+0x74/0xb0 mm/util.c:131
dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271
vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339
qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479
qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940
vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488
vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927
...
Local variable ev created at:
qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456
qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
Bytes 28-31 of 48 are uninitialized
Memory access of size 48 starts at ffff888035155e00
Data copied to user address 0000000020000100
Use memset() to prevent the infoleaks.
Also speculatively fix qp_notify_peer_local(), which may suffer from the
same problem.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
06164d2b72aa752ce4633184b3e0d97601017135 , < 7ccf7229b96fadc3a185d1391f814a604c7ef609
(git)
Affected: 06164d2b72aa752ce4633184b3e0d97601017135 , < f04586c2315cfd03d72ad0395705435e7ed07b1a (git) Affected: 06164d2b72aa752ce4633184b3e0d97601017135 , < 5a275528025ae4bc7e2232866856dfebf84b2fad (git) Affected: 06164d2b72aa752ce4633184b3e0d97601017135 , < e7061dd1fef2dfb6458cd521aef27aa66f510d31 (git) Affected: 06164d2b72aa752ce4633184b3e0d97601017135 , < 62634b43d3c4e1bf62fd540196f7081bf0885c0a (git) Affected: 06164d2b72aa752ce4633184b3e0d97601017135 , < 8e2f33c598370bcf828bab4d667d1d38bcd3c57d (git) Affected: 06164d2b72aa752ce4633184b3e0d97601017135 , < 76c50d77b928a33e5290aaa9fdc10e88254ff8c7 (git) Affected: 06164d2b72aa752ce4633184b3e0d97601017135 , < e5b0d06d9b10f5f43101bd6598b076c347f9295f (git) |
|
| Linux | Linux |
Affected:
3.9
Unaffected: 0 , < 3.9 (semver) Unaffected: 4.9.334 , ≤ 4.9.* (semver) Unaffected: 4.14.300 , ≤ 4.14.* (semver) Unaffected: 4.19.267 , ≤ 4.19.* (semver) Unaffected: 5.4.225 , ≤ 5.4.* (semver) Unaffected: 5.10.156 , ≤ 5.10.* (semver) Unaffected: 5.15.80 , ≤ 5.15.* (semver) Unaffected: 6.0.10 , ≤ 6.0.* (semver) Unaffected: 6.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_queue_pair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ccf7229b96fadc3a185d1391f814a604c7ef609",
"status": "affected",
"version": "06164d2b72aa752ce4633184b3e0d97601017135",
"versionType": "git"
},
{
"lessThan": "f04586c2315cfd03d72ad0395705435e7ed07b1a",
"status": "affected",
"version": "06164d2b72aa752ce4633184b3e0d97601017135",
"versionType": "git"
},
{
"lessThan": "5a275528025ae4bc7e2232866856dfebf84b2fad",
"status": "affected",
"version": "06164d2b72aa752ce4633184b3e0d97601017135",
"versionType": "git"
},
{
"lessThan": "e7061dd1fef2dfb6458cd521aef27aa66f510d31",
"status": "affected",
"version": "06164d2b72aa752ce4633184b3e0d97601017135",
"versionType": "git"
},
{
"lessThan": "62634b43d3c4e1bf62fd540196f7081bf0885c0a",
"status": "affected",
"version": "06164d2b72aa752ce4633184b3e0d97601017135",
"versionType": "git"
},
{
"lessThan": "8e2f33c598370bcf828bab4d667d1d38bcd3c57d",
"status": "affected",
"version": "06164d2b72aa752ce4633184b3e0d97601017135",
"versionType": "git"
},
{
"lessThan": "76c50d77b928a33e5290aaa9fdc10e88254ff8c7",
"status": "affected",
"version": "06164d2b72aa752ce4633184b3e0d97601017135",
"versionType": "git"
},
{
"lessThan": "e5b0d06d9b10f5f43101bd6598b076c347f9295f",
"status": "affected",
"version": "06164d2b72aa752ce4633184b3e0d97601017135",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_queue_pair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.334",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.267",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.225",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.334",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.300",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.267",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.225",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.156",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.80",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()\n\n`struct vmci_event_qp` allocated by qp_notify_peer() contains padding,\nwhich may carry uninitialized data to the userspace, as observed by\nKMSAN:\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121\n instrument_copy_to_user ./include/linux/instrumented.h:121\n _copy_to_user+0x5f/0xb0 lib/usercopy.c:33\n copy_to_user ./include/linux/uaccess.h:169\n vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431\n vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925\n vfs_ioctl fs/ioctl.c:51\n ...\n\n Uninit was stored to memory at:\n kmemdup+0x74/0xb0 mm/util.c:131\n dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271\n vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339\n qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479\n qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662\n qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750\n vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940\n vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488\n vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927\n ...\n\n Local variable ev created at:\n qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456\n qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662\n qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750\n\n Bytes 28-31 of 48 are uninitialized\n Memory access of size 48 starts at ffff888035155e00\n Data copied to user address 0000000020000100\n\nUse memset() to prevent the infoleaks.\n\nAlso speculatively fix qp_notify_peer_local(), which may suffer from the\nsame problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:06:47.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ccf7229b96fadc3a185d1391f814a604c7ef609"
},
{
"url": "https://git.kernel.org/stable/c/f04586c2315cfd03d72ad0395705435e7ed07b1a"
},
{
"url": "https://git.kernel.org/stable/c/5a275528025ae4bc7e2232866856dfebf84b2fad"
},
{
"url": "https://git.kernel.org/stable/c/e7061dd1fef2dfb6458cd521aef27aa66f510d31"
},
{
"url": "https://git.kernel.org/stable/c/62634b43d3c4e1bf62fd540196f7081bf0885c0a"
},
{
"url": "https://git.kernel.org/stable/c/8e2f33c598370bcf828bab4d667d1d38bcd3c57d"
},
{
"url": "https://git.kernel.org/stable/c/76c50d77b928a33e5290aaa9fdc10e88254ff8c7"
},
{
"url": "https://git.kernel.org/stable/c/e5b0d06d9b10f5f43101bd6598b076c347f9295f"
}
],
"title": "misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49788",
"datePublished": "2025-05-01T14:09:20.506Z",
"dateReserved": "2025-05-01T14:05:17.223Z",
"dateUpdated": "2026-05-11T19:06:47.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50020 (GCVE-0-2022-50020)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:01 – Updated: 2026-05-11 19:11
VLAI
EPSS
Title
ext4: avoid resizing to a partial cluster size
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid resizing to a partial cluster size
This patch avoids an attempt to resize the filesystem to an
unaligned cluster boundary. An online resize to a size that is not
integral to cluster size results in the last iteration attempting to
grow the fs by a negative amount, which trips a BUG_ON and leaves the fs
with a corrupted in-memory superblock.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d77147ff443b255d82c907a632c825b2cc610b10 , < 7bdfb01fc5f6b3696728aeb527c50386e0ee09a1
(git)
Affected: d77147ff443b255d82c907a632c825b2cc610b10 , < a6805b3dcf5cd41f2ae3a03dca43411135b99849 (git) Affected: d77147ff443b255d82c907a632c825b2cc610b10 , < 80288883294c5b4ed18bae0d8bd9c4a12f297074 (git) Affected: d77147ff443b255d82c907a632c825b2cc610b10 , < 72b850a2a996f72541172e7cf686d54a2b29bcd8 (git) Affected: d77147ff443b255d82c907a632c825b2cc610b10 , < 0082e99a9074ff88eff729c70c93454c8588d8e1 (git) Affected: d77147ff443b255d82c907a632c825b2cc610b10 , < 69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd (git) |
|
| Linux | Linux |
Affected:
4.15
Unaffected: 0 , < 4.15 (semver) Unaffected: 4.19.256 , ≤ 4.19.* (semver) Unaffected: 5.4.211 , ≤ 5.4.* (semver) Unaffected: 5.10.138 , ≤ 5.10.* (semver) Unaffected: 5.15.63 , ≤ 5.15.* (semver) Unaffected: 5.19.4 , ≤ 5.19.* (semver) Unaffected: 6.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/resize.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bdfb01fc5f6b3696728aeb527c50386e0ee09a1",
"status": "affected",
"version": "d77147ff443b255d82c907a632c825b2cc610b10",
"versionType": "git"
},
{
"lessThan": "a6805b3dcf5cd41f2ae3a03dca43411135b99849",
"status": "affected",
"version": "d77147ff443b255d82c907a632c825b2cc610b10",
"versionType": "git"
},
{
"lessThan": "80288883294c5b4ed18bae0d8bd9c4a12f297074",
"status": "affected",
"version": "d77147ff443b255d82c907a632c825b2cc610b10",
"versionType": "git"
},
{
"lessThan": "72b850a2a996f72541172e7cf686d54a2b29bcd8",
"status": "affected",
"version": "d77147ff443b255d82c907a632c825b2cc610b10",
"versionType": "git"
},
{
"lessThan": "0082e99a9074ff88eff729c70c93454c8588d8e1",
"status": "affected",
"version": "d77147ff443b255d82c907a632c825b2cc610b10",
"versionType": "git"
},
{
"lessThan": "69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd",
"status": "affected",
"version": "d77147ff443b255d82c907a632c825b2cc610b10",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/resize.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.138",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.63",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid resizing to a partial cluster size\n\nThis patch avoids an attempt to resize the filesystem to an\nunaligned cluster boundary. An online resize to a size that is not\nintegral to cluster size results in the last iteration attempting to\ngrow the fs by a negative amount, which trips a BUG_ON and leaves the fs\nwith a corrupted in-memory superblock."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:11:14.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bdfb01fc5f6b3696728aeb527c50386e0ee09a1"
},
{
"url": "https://git.kernel.org/stable/c/a6805b3dcf5cd41f2ae3a03dca43411135b99849"
},
{
"url": "https://git.kernel.org/stable/c/80288883294c5b4ed18bae0d8bd9c4a12f297074"
},
{
"url": "https://git.kernel.org/stable/c/72b850a2a996f72541172e7cf686d54a2b29bcd8"
},
{
"url": "https://git.kernel.org/stable/c/0082e99a9074ff88eff729c70c93454c8588d8e1"
},
{
"url": "https://git.kernel.org/stable/c/69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd"
}
],
"title": "ext4: avoid resizing to a partial cluster size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50020",
"datePublished": "2025-06-18T11:01:24.227Z",
"dateReserved": "2025-06-18T10:57:27.393Z",
"dateUpdated": "2026-05-11T19:11:14.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50022 (GCVE-0-2022-50022)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:01 – Updated: 2026-05-11 19:11
VLAI
EPSS
Title
drivers:md:fix a potential use-after-free bug
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers:md:fix a potential use-after-free bug
In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and
may cause sh to be released. However, sh is subsequently used in lines
2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an
use-after-free bug.
It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of
the function.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
59fc630b8b5f9f21c8ce3ba153341c107dce1b0c , < 7470a4314b239e9a9580f248fdf4c9a92805490e
(git)
Affected: 59fc630b8b5f9f21c8ce3ba153341c107dce1b0c , < 09cf99bace7789d91caa8d10fbcfc8b2fb35857f (git) Affected: 59fc630b8b5f9f21c8ce3ba153341c107dce1b0c , < e5b3dd2d92c4511e81f6e4ec9c5bb7ad25e03d13 (git) Affected: 59fc630b8b5f9f21c8ce3ba153341c107dce1b0c , < f5d46f1b47f65da1faf468277b261eb78c8e25b5 (git) Affected: 59fc630b8b5f9f21c8ce3ba153341c107dce1b0c , < 5d8325fd15892c8ab1146edc1d7ed8463de39636 (git) Affected: 59fc630b8b5f9f21c8ce3ba153341c107dce1b0c , < d9b94c3ace549433de8a93eeb27b0391fc8ac406 (git) Affected: 59fc630b8b5f9f21c8ce3ba153341c107dce1b0c , < eb3a4f73f43f839df981dda5859e8e075067a360 (git) Affected: 59fc630b8b5f9f21c8ce3ba153341c107dce1b0c , < 104212471b1c1817b311771d817fb692af983173 (git) |
|
| Linux | Linux |
Affected:
4.1
Unaffected: 0 , < 4.1 (semver) Unaffected: 4.9.326 , ≤ 4.9.* (semver) Unaffected: 4.14.291 , ≤ 4.14.* (semver) Unaffected: 4.19.256 , ≤ 4.19.* (semver) Unaffected: 5.4.211 , ≤ 5.4.* (semver) Unaffected: 5.10.138 , ≤ 5.10.* (semver) Unaffected: 5.15.63 , ≤ 5.15.* (semver) Unaffected: 5.19.4 , ≤ 5.19.* (semver) Unaffected: 6.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7470a4314b239e9a9580f248fdf4c9a92805490e",
"status": "affected",
"version": "59fc630b8b5f9f21c8ce3ba153341c107dce1b0c",
"versionType": "git"
},
{
"lessThan": "09cf99bace7789d91caa8d10fbcfc8b2fb35857f",
"status": "affected",
"version": "59fc630b8b5f9f21c8ce3ba153341c107dce1b0c",
"versionType": "git"
},
{
"lessThan": "e5b3dd2d92c4511e81f6e4ec9c5bb7ad25e03d13",
"status": "affected",
"version": "59fc630b8b5f9f21c8ce3ba153341c107dce1b0c",
"versionType": "git"
},
{
"lessThan": "f5d46f1b47f65da1faf468277b261eb78c8e25b5",
"status": "affected",
"version": "59fc630b8b5f9f21c8ce3ba153341c107dce1b0c",
"versionType": "git"
},
{
"lessThan": "5d8325fd15892c8ab1146edc1d7ed8463de39636",
"status": "affected",
"version": "59fc630b8b5f9f21c8ce3ba153341c107dce1b0c",
"versionType": "git"
},
{
"lessThan": "d9b94c3ace549433de8a93eeb27b0391fc8ac406",
"status": "affected",
"version": "59fc630b8b5f9f21c8ce3ba153341c107dce1b0c",
"versionType": "git"
},
{
"lessThan": "eb3a4f73f43f839df981dda5859e8e075067a360",
"status": "affected",
"version": "59fc630b8b5f9f21c8ce3ba153341c107dce1b0c",
"versionType": "git"
},
{
"lessThan": "104212471b1c1817b311771d817fb692af983173",
"status": "affected",
"version": "59fc630b8b5f9f21c8ce3ba153341c107dce1b0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.326",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.138",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.63",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.4",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers:md:fix a potential use-after-free bug\n\nIn line 2884, \"raid5_release_stripe(sh);\" drops the reference to sh and\nmay cause sh to be released. However, sh is subsequently used in lines\n2886 \"if (sh-\u003ebatch_head \u0026\u0026 sh != sh-\u003ebatch_head)\". This may result in an\nuse-after-free bug.\n\nIt can be fixed by moving \"raid5_release_stripe(sh);\" to the bottom of\nthe function."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:11:16.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7470a4314b239e9a9580f248fdf4c9a92805490e"
},
{
"url": "https://git.kernel.org/stable/c/09cf99bace7789d91caa8d10fbcfc8b2fb35857f"
},
{
"url": "https://git.kernel.org/stable/c/e5b3dd2d92c4511e81f6e4ec9c5bb7ad25e03d13"
},
{
"url": "https://git.kernel.org/stable/c/f5d46f1b47f65da1faf468277b261eb78c8e25b5"
},
{
"url": "https://git.kernel.org/stable/c/5d8325fd15892c8ab1146edc1d7ed8463de39636"
},
{
"url": "https://git.kernel.org/stable/c/d9b94c3ace549433de8a93eeb27b0391fc8ac406"
},
{
"url": "https://git.kernel.org/stable/c/eb3a4f73f43f839df981dda5859e8e075067a360"
},
{
"url": "https://git.kernel.org/stable/c/104212471b1c1817b311771d817fb692af983173"
}
],
"title": "drivers:md:fix a potential use-after-free bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50022",
"datePublished": "2025-06-18T11:01:25.965Z",
"dateReserved": "2025-06-18T10:57:27.394Z",
"dateUpdated": "2026-05-11T19:11:16.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57980 (GCVE-0-2024-57980)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2026-05-11 21:01
VLAI
EPSS
Title
media: uvcvideo: Fix double free in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix double free in error path
If the uvc_status_init() function fails to allocate the int_urb, it will
free the dev->status pointer but doesn't reset the pointer to NULL. This
results in the kfree() call in uvc_status_cleanup() trying to
double-free the memory. Fix it by resetting the dev->status pointer to
NULL after freeing it.
Reviewed by: Ricardo Ribalda <ribalda@chromium.org>
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a31a4055473bf0a7b2b06cb2262347200d0711e1 , < d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d
(git)
Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < 87522ef165e5b6de8ef98cc318f3335166a1512c (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < 3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277 (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < 9232719ac9ce4d5c213cebda23d72aec3e1c4c0d (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < 6c36dcd662ec5276782838660f8533a7cb26be49 (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < d1f8e69eec91d5a75ef079778a5d0151db2a7f22 (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < d8e63dd7b6683969d3d47c7b8e9635f96d554ad4 (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac (git) |
|
| Linux | Linux |
Affected:
2.6.28
Unaffected: 0 , < 2.6.28 (semver) Unaffected: 5.4.291 , ≤ 5.4.* (semver) Unaffected: 5.10.235 , ≤ 5.10.* (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.129 , ≤ 6.1.* (semver) Unaffected: 6.6.76 , ≤ 6.6.* (semver) Unaffected: 6.12.13 , ≤ 6.12.* (semver) Unaffected: 6.13.2 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:59.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_status.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "87522ef165e5b6de8ef98cc318f3335166a1512c",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "9232719ac9ce4d5c213cebda23d72aec3e1c4c0d",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "6c36dcd662ec5276782838660f8533a7cb26be49",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "d1f8e69eec91d5a75ef079778a5d0151db2a7f22",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "d8e63dd7b6683969d3d47c7b8e9635f96d554ad4",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_status.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix double free in error path\n\nIf the uvc_status_init() function fails to allocate the int_urb, it will\nfree the dev-\u003estatus pointer but doesn\u0027t reset the pointer to NULL. This\nresults in the kfree() call in uvc_status_cleanup() trying to\ndouble-free the memory. Fix it by resetting the dev-\u003estatus pointer to\nNULL after freeing it.\n\nReviewed by: Ricardo Ribalda \u003cribalda@chromium.org\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:01:28.686Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d"
},
{
"url": "https://git.kernel.org/stable/c/87522ef165e5b6de8ef98cc318f3335166a1512c"
},
{
"url": "https://git.kernel.org/stable/c/3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277"
},
{
"url": "https://git.kernel.org/stable/c/9232719ac9ce4d5c213cebda23d72aec3e1c4c0d"
},
{
"url": "https://git.kernel.org/stable/c/6c36dcd662ec5276782838660f8533a7cb26be49"
},
{
"url": "https://git.kernel.org/stable/c/d1f8e69eec91d5a75ef079778a5d0151db2a7f22"
},
{
"url": "https://git.kernel.org/stable/c/d8e63dd7b6683969d3d47c7b8e9635f96d554ad4"
},
{
"url": "https://git.kernel.org/stable/c/c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac"
}
],
"title": "media: uvcvideo: Fix double free in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57980",
"datePublished": "2025-02-27T02:07:06.849Z",
"dateReserved": "2025-02-27T02:04:28.912Z",
"dateUpdated": "2026-05-11T21:01:28.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58002 (GCVE-0-2024-58002)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:12 – Updated: 2026-05-11 21:01
VLAI
EPSS
Title
media: uvcvideo: Remove dangling pointers
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Remove dangling pointers
When an async control is written, we copy a pointer to the file handle
that started the operation. That pointer will be used when the device is
done. Which could be anytime in the future.
If the user closes that file descriptor, its structure will be freed,
and there will be one dangling pointer per pending async control, that
the driver will try to use.
Clean all the dangling pointers during release().
To avoid adding a performance penalty in the most common case (no async
operation), a counter has been introduced with some logic to make sure
that it is properly handled.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e5225c820c057537dc780244760e2e24c7d27366 , < 2a29413ace64627e178fd422dd8a5d95219a2c0b
(git)
Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 653993f46861f2971e95e9a0e36a34b49dec542c (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50 (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < ac18d781466252cd35a3e311e0a4b264260fd927 (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 4dbaa738c583a0e947803c69e8996e88cf98d971 (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 438bda062b2c40ddd7df23b932e29ffe0a448cac (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 9edc7d25f7e49c33a1ce7a5ffadea2222065516c (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 221cd51efe4565501a3dbf04cc011b537dcce7fb (git) |
|
| Linux | Linux |
Affected:
4.19
Unaffected: 0 , < 4.19 (semver) Unaffected: 5.4.291 , ≤ 5.4.* (semver) Unaffected: 5.10.235 , ≤ 5.10.* (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.130 , ≤ 6.1.* (semver) Unaffected: 6.6.80 , ≤ 6.6.* (semver) Unaffected: 6.12.14 , ≤ 6.12.* (semver) Unaffected: 6.13.3 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:15.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_ctrl.c",
"drivers/media/usb/uvc/uvc_v4l2.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a29413ace64627e178fd422dd8a5d95219a2c0b",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "653993f46861f2971e95e9a0e36a34b49dec542c",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "ac18d781466252cd35a3e311e0a4b264260fd927",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "4dbaa738c583a0e947803c69e8996e88cf98d971",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "438bda062b2c40ddd7df23b932e29ffe0a448cac",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "9edc7d25f7e49c33a1ce7a5ffadea2222065516c",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "221cd51efe4565501a3dbf04cc011b537dcce7fb",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_ctrl.c",
"drivers/media/usb/uvc/uvc_v4l2.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Remove dangling pointers\n\nWhen an async control is written, we copy a pointer to the file handle\nthat started the operation. That pointer will be used when the device is\ndone. Which could be anytime in the future.\n\nIf the user closes that file descriptor, its structure will be freed,\nand there will be one dangling pointer per pending async control, that\nthe driver will try to use.\n\nClean all the dangling pointers during release().\n\nTo avoid adding a performance penalty in the most common case (no async\noperation), a counter has been introduced with some logic to make sure\nthat it is properly handled."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:01:53.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a29413ace64627e178fd422dd8a5d95219a2c0b"
},
{
"url": "https://git.kernel.org/stable/c/653993f46861f2971e95e9a0e36a34b49dec542c"
},
{
"url": "https://git.kernel.org/stable/c/117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50"
},
{
"url": "https://git.kernel.org/stable/c/ac18d781466252cd35a3e311e0a4b264260fd927"
},
{
"url": "https://git.kernel.org/stable/c/4dbaa738c583a0e947803c69e8996e88cf98d971"
},
{
"url": "https://git.kernel.org/stable/c/438bda062b2c40ddd7df23b932e29ffe0a448cac"
},
{
"url": "https://git.kernel.org/stable/c/9edc7d25f7e49c33a1ce7a5ffadea2222065516c"
},
{
"url": "https://git.kernel.org/stable/c/221cd51efe4565501a3dbf04cc011b537dcce7fb"
}
],
"title": "media: uvcvideo: Remove dangling pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58002",
"datePublished": "2025-02-27T02:12:00.223Z",
"dateReserved": "2025-02-27T02:04:28.915Z",
"dateUpdated": "2026-05-11T21:01:53.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21727 (GCVE-0-2025-21727)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2026-05-12 12:03
VLAI
EPSS
Title
padata: fix UAF in padata_reorder
Summary
In the Linux kernel, the following vulnerability has been resolved:
padata: fix UAF in padata_reorder
A bug was found when run ltp test:
BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0
Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206
CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker
Call Trace:
<TASK>
dump_stack_lvl+0x32/0x50
print_address_description.constprop.0+0x6b/0x3d0
print_report+0xdd/0x2c0
kasan_report+0xa5/0xd0
padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220
padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0
If 'mdelay(10)' is added before calling 'padata_find_next' in the
'padata_reorder' function, this issue could be reproduced easily with
ltp test (pcrypt_aead01).
This can be explained as bellow:
pcrypt_aead_encrypt
...
padata_do_parallel
refcount_inc(&pd->refcnt); // add refcnt
...
padata_do_serial
padata_reorder // pd
while (1) {
padata_find_next(pd, true); // using pd
queue_work_on
...
padata_serial_worker crypto_del_alg
padata_put_pd_cnt // sub refcnt
padata_free_shell
padata_put_pd(ps->pd);
// pd is freed
// loop again, but pd is freed
// call padata_find_next, UAF
}
In the padata_reorder function, when it loops in 'while', if the alg is
deleted, the refcnt may be decreased to 0 before entering
'padata_find_next', which leads to UAF.
As mentioned in [1], do_serial is supposed to be called with BHs disabled
and always happen under RCU protection, to address this issue, add
synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls
to finish.
[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/
[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
Severity
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b128a30409356df65f1a51cff3eb986cac8cfedc , < f78170bee51469734b1a306a74fc5f777bb22ba6
(git)
Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < f3e0b9f790f8e8065d59e67b565a83154d9f3079 (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 573ac9c70bf7885dc85d82fa44550581bfc3b738 (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 80231f069240d52e98b6a317456c67b2eafd0781 (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < e01780ea4661172734118d2a5f41bc9720765668 (git) |
|
| Linux | Linux |
Affected:
5.4
Unaffected: 0 , < 5.4 (semver) Unaffected: 5.10.235 , ≤ 5.10.* (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.129 , ≤ 6.1.* (semver) Unaffected: 6.6.76 , ≤ 6.6.* (semver) Unaffected: 6.12.13 , ≤ 6.12.* (semver) Unaffected: 6.13.2 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:06.104597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:30.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:03:30.794Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f78170bee51469734b1a306a74fc5f777bb22ba6",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "f3e0b9f790f8e8065d59e67b565a83154d9f3079",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "573ac9c70bf7885dc85d82fa44550581bfc3b738",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "80231f069240d52e98b6a317456c67b2eafd0781",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "e01780ea4661172734118d2a5f41bc9720765668",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found when run ltp test:\n\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\n\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x32/0x50\nprint_address_description.constprop.0+0x6b/0x3d0\nprint_report+0xdd/0x2c0\nkasan_report+0xa5/0xd0\npadata_find_next+0x29/0x1a0\npadata_reorder+0x131/0x220\npadata_parallel_worker+0x3d/0xc0\nprocess_one_work+0x2ec/0x5a0\n\nIf \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the\n\u0027padata_reorder\u0027 function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\n\nThis can be explained as bellow:\n\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(\u0026pd-\u003erefcnt); // add refcnt\n...\npadata_do_serial\npadata_reorder // pd\nwhile (1) {\npadata_find_next(pd, true); // using pd\nqueue_work_on\n...\npadata_serial_worker\t\t\t\tcrypto_del_alg\npadata_put_pd_cnt // sub refcnt\n\t\t\t\t\t\tpadata_free_shell\n\t\t\t\t\t\tpadata_put_pd(ps-\u003epd);\n\t\t\t\t\t\t// pd is freed\n// loop again, but pd is freed\n// call padata_find_next, UAF\n}\n\nIn the padata_reorder function, when it loops in \u0027while\u0027, if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n\u0027padata_find_next\u0027, which leads to UAF.\n\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in \u0027padata_free_shell\u0027 wait for all _do_serial calls\nto finish.\n\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:05:15.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6"
},
{
"url": "https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079"
},
{
"url": "https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd"
},
{
"url": "https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de"
},
{
"url": "https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738"
},
{
"url": "https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781"
},
{
"url": "https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668"
}
],
"title": "padata: fix UAF in padata_reorder",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21727",
"datePublished": "2025-02-27T02:07:33.501Z",
"dateReserved": "2024-12-29T08:45:45.754Z",
"dateUpdated": "2026-05-12T12:03:30.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21759 (GCVE-0-2025-21759)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2026-05-11 21:05
VLAI
EPSS
Title
ipv6: mcast: extend RCU protection in igmp6_send()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: extend RCU protection in igmp6_send()
igmp6_send() can be called without RTNL or RCU being held.
Extend RCU protection so that we can safely fetch the net pointer
and avoid a potential UAF.
Note that we no longer can use sock_alloc_send_skb() because
ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.
Instead use alloc_skb() and charge the net->ipv6.igmp_sk
socket under RCU protection.
Severity
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < 81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a
(git)
Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < 0bf8e2f3768629d437a32cb824149e6e98254381 (git) Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < 8e92d6a413feaf968a33f0b439ecf27404407458 (git) Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < 087c1faa594fa07a66933d750c0b2610aa1a2946 (git) |
|
| Linux | Linux |
Affected:
2.6.26
Unaffected: 0 , < 2.6.26 (semver) Unaffected: 6.6.79 , ≤ 6.6.* (semver) Unaffected: 6.12.16 , ≤ 6.12.* (semver) Unaffected: 6.13.4 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:46.460072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a",
"status": "affected",
"version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
"versionType": "git"
},
{
"lessThan": "0bf8e2f3768629d437a32cb824149e6e98254381",
"status": "affected",
"version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
"versionType": "git"
},
{
"lessThan": "8e92d6a413feaf968a33f0b439ecf27404407458",
"status": "affected",
"version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
"versionType": "git"
},
{
"lessThan": "087c1faa594fa07a66933d750c0b2610aa1a2946",
"status": "affected",
"version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: extend RCU protection in igmp6_send()\n\nigmp6_send() can be called without RTNL or RCU being held.\n\nExtend RCU protection so that we can safely fetch the net pointer\nand avoid a potential UAF.\n\nNote that we no longer can use sock_alloc_send_skb() because\nipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.\n\nInstead use alloc_skb() and charge the net-\u003eipv6.igmp_sk\nsocket under RCU protection."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:05:50.796Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a"
},
{
"url": "https://git.kernel.org/stable/c/0bf8e2f3768629d437a32cb824149e6e98254381"
},
{
"url": "https://git.kernel.org/stable/c/8e92d6a413feaf968a33f0b439ecf27404407458"
},
{
"url": "https://git.kernel.org/stable/c/087c1faa594fa07a66933d750c0b2610aa1a2946"
}
],
"title": "ipv6: mcast: extend RCU protection in igmp6_send()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21759",
"datePublished": "2025-02-27T02:18:12.994Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2026-05-11T21:05:50.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21919 (GCVE-0-2025-21919)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq.
This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list,
making the conversion invalid and potentially leading to memory
corruption. Depending on the relative positions of leaf_cfs_rq_list and
the task group (tg) pointer within the struct, this can cause a memory
fault or access garbage data.
The issue arises in list_add_leaf_cfs_rq, where both
cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same
leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list.
This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main
conditional in child_cfs_rq_on_list. This ensures that the container_of
operation will convert a correct cfs_rq struct.
This check is sufficient because only cfs_rqs on the same CPU are added
to the list, so verifying the 'prev' pointer against the current rq's list
head is enough.
Fixes a potential memory corruption issue that due to current struct
layout might not be manifesting as a crash but could lead to unpredictable
behavior when the layout changes.
Severity
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 5cb300dcdd27e6a351ac02541e0231261c775852
(git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 000c9ee43928f2ce68a156dd40bab7616256f4dd (git) Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 9cc7f0018609f75a349e42e3aebc3b0e905ba775 (git) Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < b5741e4b9ef3567613b2351384f91d3f16e59986 (git) Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < e1dd09df30ba86716cb2ffab97dc35195c01eb8f (git) Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 3b4035ddbfc8e4521f85569998a7569668cccf51 (git) |
|
| Linux | Linux |
Affected:
5.13
Unaffected: 0 , < 5.13 (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.131 , ≤ 6.1.* (semver) Unaffected: 6.6.83 , ≤ 6.6.* (semver) Unaffected: 6.12.19 , ≤ 6.12.* (semver) Unaffected: 6.13.7 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21919",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:23:59.713530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:33.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:11.086Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/fair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5cb300dcdd27e6a351ac02541e0231261c775852",
"status": "affected",
"version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
"versionType": "git"
},
{
"lessThan": "000c9ee43928f2ce68a156dd40bab7616256f4dd",
"status": "affected",
"version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
"versionType": "git"
},
{
"lessThan": "9cc7f0018609f75a349e42e3aebc3b0e905ba775",
"status": "affected",
"version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
"versionType": "git"
},
{
"lessThan": "b5741e4b9ef3567613b2351384f91d3f16e59986",
"status": "affected",
"version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
"versionType": "git"
},
{
"lessThan": "e1dd09df30ba86716cb2ffab97dc35195c01eb8f",
"status": "affected",
"version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
"versionType": "git"
},
{
"lessThan": "3b4035ddbfc8e4521f85569998a7569668cccf51",
"status": "affected",
"version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/fair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.131",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.7",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\n\nchild_cfs_rq_on_list attempts to convert a \u0027prev\u0027 pointer to a cfs_rq.\nThis \u0027prev\u0027 pointer can originate from struct rq\u0027s leaf_cfs_rq_list,\nmaking the conversion invalid and potentially leading to memory\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\nthe task group (tg) pointer within the struct, this can cause a memory\nfault or access garbage data.\n\nThe issue arises in list_add_leaf_cfs_rq, where both\ncfs_rq-\u003eleaf_cfs_rq_list and rq-\u003eleaf_cfs_rq_list are added to the same\nleaf list. Also, rq-\u003etmp_alone_branch can be set to rq-\u003eleaf_cfs_rq_list.\n\nThis adds a check `if (prev == \u0026rq-\u003eleaf_cfs_rq_list)` after the main\nconditional in child_cfs_rq_on_list. This ensures that the container_of\noperation will convert a correct cfs_rq struct.\n\nThis check is sufficient because only cfs_rqs on the same CPU are added\nto the list, so verifying the \u0027prev\u0027 pointer against the current rq\u0027s list\nhead is enough.\n\nFixes a potential memory corruption issue that due to current struct\nlayout might not be manifesting as a crash but could lead to unpredictable\nbehavior when the layout changes."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:04.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852"
},
{
"url": "https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd"
},
{
"url": "https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775"
},
{
"url": "https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986"
},
{
"url": "https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f"
},
{
"url": "https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51"
}
],
"title": "sched/fair: Fix potential memory corruption in child_cfs_rq_on_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21919",
"datePublished": "2025-04-01T15:40:54.075Z",
"dateReserved": "2024-12-29T08:45:45.787Z",
"dateUpdated": "2026-05-11T21:09:04.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21928 (GCVE-0-2025-21928)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
The system can experience a random crash a few minutes after the driver is
removed. This issue occurs due to improper handling of memory freeing in
the ishtp_hid_remove() function.
The function currently frees the `driver_data` directly within the loop
that destroys the HID devices, which can lead to accessing freed memory.
Specifically, `hid_destroy_device()` uses `driver_data` when it calls
`hid_ishtp_set_feature()` to power off the sensor, so freeing
`driver_data` beforehand can result in accessing invalid memory.
This patch resolves the issue by storing the `driver_data` in a temporary
variable before calling `hid_destroy_device()`, and then freeing the
`driver_data` after the device is destroyed.
Severity
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < 0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d
(git)
Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < d3faae7f42181865c799d88c5054176f38ae4625 (git) Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < 01b18a330cda61cc21423a7d1af92cf31ded8f60 (git) Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394 (git) Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < 560f4d1299342504a6ab8a47f575b5e6b8345ada (git) Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < dea6a349bcaf243fff95dfd0428a26be6a0fb44e (git) Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9 (git) Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < 07583a0010696a17fb0942e0b499a62785c5fc9f (git) |
|
| Linux | Linux |
Affected:
4.9
Unaffected: 0 , < 4.9 (semver) Unaffected: 5.4.291 , ≤ 5.4.* (semver) Unaffected: 5.10.235 , ≤ 5.10.* (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.131 , ≤ 6.1.* (semver) Unaffected: 6.6.83 , ≤ 6.6.* (semver) Unaffected: 6.12.19 , ≤ 6.12.* (semver) Unaffected: 6.13.7 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T13:15:05.405186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T13:19:52.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:26.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/intel-ish-hid/ishtp-hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d",
"status": "affected",
"version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
"versionType": "git"
},
{
"lessThan": "d3faae7f42181865c799d88c5054176f38ae4625",
"status": "affected",
"version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
"versionType": "git"
},
{
"lessThan": "01b18a330cda61cc21423a7d1af92cf31ded8f60",
"status": "affected",
"version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
"versionType": "git"
},
{
"lessThan": "cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394",
"status": "affected",
"version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
"versionType": "git"
},
{
"lessThan": "560f4d1299342504a6ab8a47f575b5e6b8345ada",
"status": "affected",
"version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
"versionType": "git"
},
{
"lessThan": "dea6a349bcaf243fff95dfd0428a26be6a0fb44e",
"status": "affected",
"version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
"versionType": "git"
},
{
"lessThan": "eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9",
"status": "affected",
"version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
"versionType": "git"
},
{
"lessThan": "07583a0010696a17fb0942e0b499a62785c5fc9f",
"status": "affected",
"version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/intel-ish-hid/ishtp-hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.131",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.19",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.7",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()\n\nThe system can experience a random crash a few minutes after the driver is\nremoved. This issue occurs due to improper handling of memory freeing in\nthe ishtp_hid_remove() function.\n\nThe function currently frees the `driver_data` directly within the loop\nthat destroys the HID devices, which can lead to accessing freed memory.\nSpecifically, `hid_destroy_device()` uses `driver_data` when it calls\n`hid_ishtp_set_feature()` to power off the sensor, so freeing\n`driver_data` beforehand can result in accessing invalid memory.\n\nThis patch resolves the issue by storing the `driver_data` in a temporary\nvariable before calling `hid_destroy_device()`, and then freeing the\n`driver_data` after the device is destroyed."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:14.996Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d"
},
{
"url": "https://git.kernel.org/stable/c/d3faae7f42181865c799d88c5054176f38ae4625"
},
{
"url": "https://git.kernel.org/stable/c/01b18a330cda61cc21423a7d1af92cf31ded8f60"
},
{
"url": "https://git.kernel.org/stable/c/cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394"
},
{
"url": "https://git.kernel.org/stable/c/560f4d1299342504a6ab8a47f575b5e6b8345ada"
},
{
"url": "https://git.kernel.org/stable/c/dea6a349bcaf243fff95dfd0428a26be6a0fb44e"
},
{
"url": "https://git.kernel.org/stable/c/eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9"
},
{
"url": "https://git.kernel.org/stable/c/07583a0010696a17fb0942e0b499a62785c5fc9f"
}
],
"title": "HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21928",
"datePublished": "2025-04-01T15:40:59.033Z",
"dateReserved": "2024-12-29T08:45:45.788Z",
"dateUpdated": "2026-05-11T21:09:14.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…