Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0057
Vulnerability from certfr_avis - Published: 2026-01-16 - Updated: 2026-01-16
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian LTS bullseye versions ant\u00e9rieures \u00e0 6.1.159-1~deb11u1",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40273"
},
{
"name": "CVE-2025-68286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68286"
},
{
"name": "CVE-2025-40314",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40314"
},
{
"name": "CVE-2025-40306",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40306"
},
{
"name": "CVE-2025-40254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40254"
},
{
"name": "CVE-2025-68200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68200"
},
{
"name": "CVE-2025-68176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68176"
},
{
"name": "CVE-2025-68204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68204"
},
{
"name": "CVE-2025-68283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68283"
},
{
"name": "CVE-2025-68246",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68246"
},
{
"name": "CVE-2025-68339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68339"
},
{
"name": "CVE-2025-68295",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68295"
},
{
"name": "CVE-2025-40285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40285"
},
{
"name": "CVE-2025-68287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68287"
},
{
"name": "CVE-2025-40294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40294"
},
{
"name": "CVE-2025-40312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40312"
},
{
"name": "CVE-2025-68220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68220"
},
{
"name": "CVE-2025-68302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68302"
},
{
"name": "CVE-2025-68238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68238"
},
{
"name": "CVE-2025-40309",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40309"
},
{
"name": "CVE-2025-40343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40343"
},
{
"name": "CVE-2025-68173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68173"
},
{
"name": "CVE-2025-68307",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68307"
},
{
"name": "CVE-2025-40308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40308"
},
{
"name": "CVE-2025-40315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40315"
},
{
"name": "CVE-2025-68231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68231"
},
{
"name": "CVE-2025-68310",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68310"
},
{
"name": "CVE-2025-68229",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68229"
},
{
"name": "CVE-2025-68321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68321"
},
{
"name": "CVE-2025-40360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40360"
},
{
"name": "CVE-2025-40322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40322"
},
{
"name": "CVE-2025-40313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40313"
},
{
"name": "CVE-2025-40271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40271"
},
{
"name": "CVE-2025-68308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68308"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-68218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68218"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2025-40272",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40272"
},
{
"name": "CVE-2025-40345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40345"
},
{
"name": "CVE-2025-38057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38057"
},
{
"name": "CVE-2025-40269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40269"
},
{
"name": "CVE-2025-68330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68330"
},
{
"name": "CVE-2025-68343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68343"
},
{
"name": "CVE-2025-37899",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37899"
},
{
"name": "CVE-2025-40292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40292"
},
{
"name": "CVE-2025-68237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68237"
},
{
"name": "CVE-2025-40257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40257"
},
{
"name": "CVE-2025-68312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68312"
},
{
"name": "CVE-2025-68284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68284"
},
{
"name": "CVE-2025-68194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68194"
},
{
"name": "CVE-2025-39805",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39805"
},
{
"name": "CVE-2025-40263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40263"
},
{
"name": "CVE-2025-68244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68244"
},
{
"name": "CVE-2024-47666",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47666"
},
{
"name": "CVE-2025-40278",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40278"
},
{
"name": "CVE-2025-40342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40342"
},
{
"name": "CVE-2025-40279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40279"
},
{
"name": "CVE-2025-68328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68328"
},
{
"name": "CVE-2025-40341",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40341"
},
{
"name": "CVE-2025-38593",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38593"
},
{
"name": "CVE-2025-40283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40283"
},
{
"name": "CVE-2025-40324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40324"
},
{
"name": "CVE-2025-40264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40264"
},
{
"name": "CVE-2025-40321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40321"
},
{
"name": "CVE-2025-40282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40282"
},
{
"name": "CVE-2025-68192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68192"
},
{
"name": "CVE-2025-40214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40214"
},
{
"name": "CVE-2025-38556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38556"
},
{
"name": "CVE-2025-68171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68171"
},
{
"name": "CVE-2025-38678",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38678"
},
{
"name": "CVE-2025-40301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40301"
},
{
"name": "CVE-2025-40286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40286"
},
{
"name": "CVE-2025-68327",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68327"
},
{
"name": "CVE-2025-40318",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40318"
},
{
"name": "CVE-2025-68241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68241"
},
{
"name": "CVE-2025-68734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68734"
},
{
"name": "CVE-2025-68288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68288"
},
{
"name": "CVE-2025-40083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40083"
},
{
"name": "CVE-2025-40331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40331"
},
{
"name": "CVE-2025-68290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68290"
},
{
"name": "CVE-2025-40280",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40280"
},
{
"name": "CVE-2025-40293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40293"
},
{
"name": "CVE-2025-68331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68331"
},
{
"name": "CVE-2025-68214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68214"
},
{
"name": "CVE-2025-40284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40284"
},
{
"name": "CVE-2025-40211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40211"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2025-68303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68303"
},
{
"name": "CVE-2025-40259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40259"
},
{
"name": "CVE-2025-68168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68168"
},
{
"name": "CVE-2025-68301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68301"
},
{
"name": "CVE-2025-40297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40297"
},
{
"name": "CVE-2025-68217",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68217"
},
{
"name": "CVE-2025-68289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68289"
},
{
"name": "CVE-2025-40363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40363"
},
{
"name": "CVE-2025-40253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40253"
},
{
"name": "CVE-2025-68245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68245"
},
{
"name": "CVE-2025-40317",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40317"
},
{
"name": "CVE-2025-68233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68233"
},
{
"name": "CVE-2025-68282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68282"
},
{
"name": "CVE-2025-68177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68177"
},
{
"name": "CVE-2025-68191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68191"
},
{
"name": "CVE-2025-40288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40288"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2025-40281",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40281"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2025-40304",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40304"
},
{
"name": "CVE-2025-40262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40262"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2025-40323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40323"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
},
{
"name": "CVE-2025-40275",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40275"
},
{
"name": "CVE-2025-68227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68227"
},
{
"name": "CVE-2025-40319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40319"
}
],
"initial_release_date": "2026-01-16T00:00:00",
"last_revision_date": "2026-01-16T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0057",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian LTS. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian LTS",
"vendor_advisories": [
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS DLA-4436-1",
"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00007.html"
}
]
}
CVE-2024-47666 (GCVE-0-2024-47666)
Vulnerability from cvelistv5 – Published: 2024-10-09 14:13 – Updated: 2026-05-11 20:38
VLAI
EPSS
Title
scsi: pm80xx: Set phy->enable_completion only when we wait for it
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Set phy->enable_completion only when we wait for it
pm8001_phy_control() populates the enable_completion pointer with a stack
address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and
returns. The problem arises when a phy control response comes late. After
300 ms the pm8001_phy_control() function returns and the passed
enable_completion stack address is no longer valid. Late phy control
response invokes complete() on a dangling enable_completion pointer which
leads to a kernel crash.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
869ddbdcae3b4fb83b99889abae31544c149b210 , < ddc501f4130f4baa787cb6cfa309af697179f475
(git)
Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < a5d954802bda1aabcba49633cd94bad91c94113f (git) Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < e23ee0cc5bded07e700553aecc333bb20c768546 (git) Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < 7b1d779647afaea9185fa2f150b1721e7c1aae89 (git) Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < f14d3e1aa613311c744af32d75125e95fc8ffb84 (git) Affected: 869ddbdcae3b4fb83b99889abae31544c149b210 , < e4f949ef1516c0d74745ee54a0f4882c1f6c7aea (git) |
|
| Linux | Linux |
Affected:
4.15
Unaffected: 0 , < 4.15 (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.51 , ≤ 6.6.* (semver) Unaffected: 6.10.10 , ≤ 6.10.* (semver) Unaffected: 6.11 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T13:21:42.621552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T13:21:56.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddc501f4130f4baa787cb6cfa309af697179f475",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "a5d954802bda1aabcba49633cd94bad91c94113f",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "e23ee0cc5bded07e700553aecc333bb20c768546",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "7b1d779647afaea9185fa2f150b1721e7c1aae89",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "f14d3e1aa613311c744af32d75125e95fc8ffb84",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "e4f949ef1516c0d74745ee54a0f4882c1f6c7aea",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Set phy-\u003eenable_completion only when we wait for it\n\npm8001_phy_control() populates the enable_completion pointer with a stack\naddress, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and\nreturns. The problem arises when a phy control response comes late. After\n300 ms the pm8001_phy_control() function returns and the passed\nenable_completion stack address is no longer valid. Late phy control\nresponse invokes complete() on a dangling enable_completion pointer which\nleads to a kernel crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:38:25.670Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddc501f4130f4baa787cb6cfa309af697179f475"
},
{
"url": "https://git.kernel.org/stable/c/a5d954802bda1aabcba49633cd94bad91c94113f"
},
{
"url": "https://git.kernel.org/stable/c/e23ee0cc5bded07e700553aecc333bb20c768546"
},
{
"url": "https://git.kernel.org/stable/c/7b1d779647afaea9185fa2f150b1721e7c1aae89"
},
{
"url": "https://git.kernel.org/stable/c/f14d3e1aa613311c744af32d75125e95fc8ffb84"
},
{
"url": "https://git.kernel.org/stable/c/e4f949ef1516c0d74745ee54a0f4882c1f6c7aea"
}
],
"title": "scsi: pm80xx: Set phy-\u003eenable_completion only when we wait for it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47666",
"datePublished": "2024-10-09T14:13:58.849Z",
"dateReserved": "2024-09-30T16:00:12.936Z",
"dateUpdated": "2026-05-11T20:38:25.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37899 (GCVE-0-2025-37899)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:21 – Updated: 2026-05-11 21:17
VLAI
EPSS
Title
ksmbd: fix use-after-free in session logoff
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in session logoff
The sess->user object can currently be in use by another thread, for
example if another connection has sent a session setup request to
bind to the session being free'd. The handler for that connection could
be in the smb2_sess_setup function which makes use of sess->user.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < 931dc8a3670f71c45c0b1379ea4e92dafbda1aca
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 70ad6455139e26e85f48f95d0e21f351c1909342 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < d5ec1d79509b3ee01de02c236f096bc050221b7f (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 02d16046cd11a5c037b28c12ffb818c56dd3ef43 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 2fc9feff45d92a92cd5f96487655d5be23fb7e2b (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.119 , ≤ 6.6.* (semver) Unaffected: 6.12.28 , ≤ 6.12.* (semver) Unaffected: 6.14.6 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-24T19:05:08.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/"
},
{
"url": "https://news.ycombinator.com/item?id=44081338"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "931dc8a3670f71c45c0b1379ea4e92dafbda1aca",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "70ad6455139e26e85f48f95d0e21f351c1909342",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "d5ec1d79509b3ee01de02c236f096bc050221b7f",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "02d16046cd11a5c037b28c12ffb818c56dd3ef43",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "2fc9feff45d92a92cd5f96487655d5be23fb7e2b",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in session logoff\n\nThe sess-\u003euser object can currently be in use by another thread, for\nexample if another connection has sent a session setup request to\nbind to the session being free\u0027d. The handler for that connection could\nbe in the smb2_sess_setup function which makes use of sess-\u003euser."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:17:16.984Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/931dc8a3670f71c45c0b1379ea4e92dafbda1aca"
},
{
"url": "https://git.kernel.org/stable/c/70ad6455139e26e85f48f95d0e21f351c1909342"
},
{
"url": "https://git.kernel.org/stable/c/d5ec1d79509b3ee01de02c236f096bc050221b7f"
},
{
"url": "https://git.kernel.org/stable/c/02d16046cd11a5c037b28c12ffb818c56dd3ef43"
},
{
"url": "https://git.kernel.org/stable/c/2fc9feff45d92a92cd5f96487655d5be23fb7e2b"
}
],
"title": "ksmbd: fix use-after-free in session logoff",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37899",
"datePublished": "2025-05-20T15:21:34.782Z",
"dateReserved": "2025-04-16T04:51:23.965Z",
"dateUpdated": "2026-05-11T21:17:16.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38057 (GCVE-0-2025-38057)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
espintcp: fix skb leaks
Summary
In the Linux kernel, the following vulnerability has been resolved:
espintcp: fix skb leaks
A few error paths are missing a kfree_skb.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 05db2b850a2b8b17f3d1799f563ea1d550e05ed5
(git)
Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < e2e1f50fc5ebd2826c4e8c558dc65434382d0c0b (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < d8d79cf8c2b7475c22f9874eb844bcc80f858b13 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 28756f22de48d25256ed89234b66b9037a3f0157 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < eb058693dfc93ed7a9c365adb899fedd648b9d9f (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 63c1f19a3be3169e51a5812d22a6d0c879414076 (git) |
|
| Linux | Linux |
Affected:
5.6
Unaffected: 0 , < 5.6 (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv6/esp6.c",
"net/xfrm/espintcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05db2b850a2b8b17f3d1799f563ea1d550e05ed5",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "e2e1f50fc5ebd2826c4e8c558dc65434382d0c0b",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "d8d79cf8c2b7475c22f9874eb844bcc80f858b13",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "28756f22de48d25256ed89234b66b9037a3f0157",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "eb058693dfc93ed7a9c365adb899fedd648b9d9f",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "63c1f19a3be3169e51a5812d22a6d0c879414076",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv6/esp6.c",
"net/xfrm/espintcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: fix skb leaks\n\nA few error paths are missing a kfree_skb."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:26.323Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05db2b850a2b8b17f3d1799f563ea1d550e05ed5"
},
{
"url": "https://git.kernel.org/stable/c/e2e1f50fc5ebd2826c4e8c558dc65434382d0c0b"
},
{
"url": "https://git.kernel.org/stable/c/d8d79cf8c2b7475c22f9874eb844bcc80f858b13"
},
{
"url": "https://git.kernel.org/stable/c/28756f22de48d25256ed89234b66b9037a3f0157"
},
{
"url": "https://git.kernel.org/stable/c/eb058693dfc93ed7a9c365adb899fedd648b9d9f"
},
{
"url": "https://git.kernel.org/stable/c/63c1f19a3be3169e51a5812d22a6d0c879414076"
}
],
"title": "espintcp: fix skb leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38057",
"datePublished": "2025-06-18T09:33:37.148Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2026-05-11T21:20:26.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38556 (GCVE-0-2025-38556)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2026-05-11 21:30
VLAI
EPSS
Title
HID: core: Harden s32ton() against conversion to 0 bits
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Harden s32ton() against conversion to 0 bits
Testing by the syzbot fuzzer showed that the HID core gets a
shift-out-of-bounds exception when it tries to convert a 32-bit
quantity to a 0-bit quantity. Ideally this should never occur, but
there are buggy devices and some might have a report field with size
set to zero; we shouldn't reject the report or the device just because
of that.
Instead, harden the s32ton() routine so that it returns a reasonable
result instead of crashing when it is called with the number of bits
set to 0 -- the same as what snto32() does.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
dde5845a529ff753364a6d1aea61180946270bfa , < 6cdf6c708717c5c6897d0800a1793e83757c7491
(git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < eeeaba737919bdce9885e2a00ac2912f61a3684d (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 3c86548a20d7bc2861aa4de044991a327bebad1a (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 810189546cb6c8f36443ed091d91f1f5d2fc2ec7 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < d3b504146c111548ab60b6ef7aad00bfb1db05a2 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 8b4a94b1510f6a46ec48494b52ee8f67eb4fc836 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 865ad8469fa24de1559f247d9426ab01e5ce3a56 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd (git) |
|
| Linux | Linux |
Affected:
2.6.20
Unaffected: 0 , < 2.6.20 (semver) Unaffected: 5.10.248 , ≤ 5.10.* (semver) Unaffected: 5.15.198 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.119 , ≤ 6.6.* (semver) Unaffected: 6.12.46 , ≤ 6.12.* (semver) Unaffected: 6.15.10 , ≤ 6.15.* (semver) Unaffected: 6.16.1 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cdf6c708717c5c6897d0800a1793e83757c7491",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "eeeaba737919bdce9885e2a00ac2912f61a3684d",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "3c86548a20d7bc2861aa4de044991a327bebad1a",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "810189546cb6c8f36443ed091d91f1f5d2fc2ec7",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "d3b504146c111548ab60b6ef7aad00bfb1db05a2",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "8b4a94b1510f6a46ec48494b52ee8f67eb4fc836",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "865ad8469fa24de1559f247d9426ab01e5ce3a56",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Harden s32ton() against conversion to 0 bits\n\nTesting by the syzbot fuzzer showed that the HID core gets a\nshift-out-of-bounds exception when it tries to convert a 32-bit\nquantity to a 0-bit quantity. Ideally this should never occur, but\nthere are buggy devices and some might have a report field with size\nset to zero; we shouldn\u0027t reject the report or the device just because\nof that.\n\nInstead, harden the s32ton() routine so that it returns a reasonable\nresult instead of crashing when it is called with the number of bits\nset to 0 -- the same as what snto32() does."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:30:22.814Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cdf6c708717c5c6897d0800a1793e83757c7491"
},
{
"url": "https://git.kernel.org/stable/c/eeeaba737919bdce9885e2a00ac2912f61a3684d"
},
{
"url": "https://git.kernel.org/stable/c/3c86548a20d7bc2861aa4de044991a327bebad1a"
},
{
"url": "https://git.kernel.org/stable/c/810189546cb6c8f36443ed091d91f1f5d2fc2ec7"
},
{
"url": "https://git.kernel.org/stable/c/d3b504146c111548ab60b6ef7aad00bfb1db05a2"
},
{
"url": "https://git.kernel.org/stable/c/8b4a94b1510f6a46ec48494b52ee8f67eb4fc836"
},
{
"url": "https://git.kernel.org/stable/c/865ad8469fa24de1559f247d9426ab01e5ce3a56"
},
{
"url": "https://git.kernel.org/stable/c/a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd"
}
],
"title": "HID: core: Harden s32ton() against conversion to 0 bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38556",
"datePublished": "2025-08-19T17:02:34.929Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2026-05-11T21:30:22.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38593 (GCVE-0-2025-38593)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2026-05-11 21:31
VLAI
EPSS
Title
Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'
Function 'hci_discovery_filter_clear()' frees 'uuids' array and then
sets it to NULL. There is a tiny chance of the following race:
'hci_cmd_sync_work()'
'update_passive_scan_sync()'
'hci_update_passive_scan_sync()'
'hci_discovery_filter_clear()'
kfree(uuids);
<-------------------------preempted-------------------------------->
'start_service_discovery()'
'hci_discovery_filter_clear()'
kfree(uuids); // DOUBLE FREE
<-------------------------preempted-------------------------------->
uuids = NULL;
To fix it let's add locking around 'kfree()' call and NULL pointer
assignment. Otherwise the following backtrace fires:
[ ] ------------[ cut here ]------------
[ ] kernel BUG at mm/slub.c:547!
[ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
[ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1
[ ] Tainted: [O]=OOT_MODULE
[ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ ] pc : __slab_free+0xf8/0x348
[ ] lr : __slab_free+0x48/0x348
...
[ ] Call trace:
[ ] __slab_free+0xf8/0x348
[ ] kfree+0x164/0x27c
[ ] start_service_discovery+0x1d0/0x2c0
[ ] hci_sock_sendmsg+0x518/0x924
[ ] __sock_sendmsg+0x54/0x60
[ ] sock_write_iter+0x98/0xf8
[ ] do_iter_readv_writev+0xe4/0x1c8
[ ] vfs_writev+0x128/0x2b0
[ ] do_writev+0xfc/0x118
[ ] __arm64_sys_writev+0x20/0x2c
[ ] invoke_syscall+0x68/0xf0
[ ] el0_svc_common.constprop.0+0x40/0xe0
[ ] do_el0_svc+0x1c/0x28
[ ] el0_svc+0x30/0xd0
[ ] el0t_64_sync_handler+0x100/0x12c
[ ] el0t_64_sync+0x194/0x198
[ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000)
[ ] ---[ end trace 0000000000000000 ]---
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ad383c2c65a5baf16e334cd40a013cc302176891 , < 86f3dcd1f331cfd4fd7ec88906955134ec51afbe
(git)
Affected: ad383c2c65a5baf16e334cd40a013cc302176891 , < 7ce9bb0b95fc280e9212b8922590c492ca1d9c39 (git) Affected: ad383c2c65a5baf16e334cd40a013cc302176891 , < 16852eccbdfaf41a666705e3f8be55cf2864c5ca (git) Affected: ad383c2c65a5baf16e334cd40a013cc302176891 , < a351ff6b8ecca4229afaa0d98042bead8de64799 (git) Affected: ad383c2c65a5baf16e334cd40a013cc302176891 , < f8069f34c4c976786ded97498012225af87435d7 (git) Affected: ad383c2c65a5baf16e334cd40a013cc302176891 , < 2935e556850e9c94d7a00adf14d3cd7fe406ac03 (git) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.42 , ≤ 6.12.* (semver) Unaffected: 6.15.10 , ≤ 6.15.* (semver) Unaffected: 6.16.1 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86f3dcd1f331cfd4fd7ec88906955134ec51afbe",
"status": "affected",
"version": "ad383c2c65a5baf16e334cd40a013cc302176891",
"versionType": "git"
},
{
"lessThan": "7ce9bb0b95fc280e9212b8922590c492ca1d9c39",
"status": "affected",
"version": "ad383c2c65a5baf16e334cd40a013cc302176891",
"versionType": "git"
},
{
"lessThan": "16852eccbdfaf41a666705e3f8be55cf2864c5ca",
"status": "affected",
"version": "ad383c2c65a5baf16e334cd40a013cc302176891",
"versionType": "git"
},
{
"lessThan": "a351ff6b8ecca4229afaa0d98042bead8de64799",
"status": "affected",
"version": "ad383c2c65a5baf16e334cd40a013cc302176891",
"versionType": "git"
},
{
"lessThan": "f8069f34c4c976786ded97498012225af87435d7",
"status": "affected",
"version": "ad383c2c65a5baf16e334cd40a013cc302176891",
"versionType": "git"
},
{
"lessThan": "2935e556850e9c94d7a00adf14d3cd7fe406ac03",
"status": "affected",
"version": "ad383c2c65a5baf16e334cd40a013cc302176891",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix double free in \u0027hci_discovery_filter_clear()\u0027\n\nFunction \u0027hci_discovery_filter_clear()\u0027 frees \u0027uuids\u0027 array and then\nsets it to NULL. There is a tiny chance of the following race:\n\n\u0027hci_cmd_sync_work()\u0027\n\n \u0027update_passive_scan_sync()\u0027\n\n \u0027hci_update_passive_scan_sync()\u0027\n\n \u0027hci_discovery_filter_clear()\u0027\n kfree(uuids);\n\n \u003c-------------------------preempted--------------------------------\u003e\n \u0027start_service_discovery()\u0027\n\n \u0027hci_discovery_filter_clear()\u0027\n kfree(uuids); // DOUBLE FREE\n\n \u003c-------------------------preempted--------------------------------\u003e\n\n uuids = NULL;\n\nTo fix it let\u0027s add locking around \u0027kfree()\u0027 call and NULL pointer\nassignment. Otherwise the following backtrace fires:\n\n[ ] ------------[ cut here ]------------\n[ ] kernel BUG at mm/slub.c:547!\n[ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1\n[ ] Tainted: [O]=OOT_MODULE\n[ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ ] pc : __slab_free+0xf8/0x348\n[ ] lr : __slab_free+0x48/0x348\n...\n[ ] Call trace:\n[ ] __slab_free+0xf8/0x348\n[ ] kfree+0x164/0x27c\n[ ] start_service_discovery+0x1d0/0x2c0\n[ ] hci_sock_sendmsg+0x518/0x924\n[ ] __sock_sendmsg+0x54/0x60\n[ ] sock_write_iter+0x98/0xf8\n[ ] do_iter_readv_writev+0xe4/0x1c8\n[ ] vfs_writev+0x128/0x2b0\n[ ] do_writev+0xfc/0x118\n[ ] __arm64_sys_writev+0x20/0x2c\n[ ] invoke_syscall+0x68/0xf0\n[ ] el0_svc_common.constprop.0+0x40/0xe0\n[ ] do_el0_svc+0x1c/0x28\n[ ] el0_svc+0x30/0xd0\n[ ] el0t_64_sync_handler+0x100/0x12c\n[ ] el0t_64_sync+0x194/0x198\n[ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000)\n[ ] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:31:15.126Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86f3dcd1f331cfd4fd7ec88906955134ec51afbe"
},
{
"url": "https://git.kernel.org/stable/c/7ce9bb0b95fc280e9212b8922590c492ca1d9c39"
},
{
"url": "https://git.kernel.org/stable/c/16852eccbdfaf41a666705e3f8be55cf2864c5ca"
},
{
"url": "https://git.kernel.org/stable/c/a351ff6b8ecca4229afaa0d98042bead8de64799"
},
{
"url": "https://git.kernel.org/stable/c/f8069f34c4c976786ded97498012225af87435d7"
},
{
"url": "https://git.kernel.org/stable/c/2935e556850e9c94d7a00adf14d3cd7fe406ac03"
}
],
"title": "Bluetooth: hci_sync: fix double free in \u0027hci_discovery_filter_clear()\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38593",
"datePublished": "2025-08-19T17:03:18.960Z",
"dateReserved": "2025-04-16T04:51:24.028Z",
"dateUpdated": "2026-05-11T21:31:15.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38678 (GCVE-0-2025-38678)
Vulnerability from cvelistv5 – Published: 2025-09-03 13:01 – Updated: 2026-05-11 21:32
VLAI
EPSS
Title
netfilter: nf_tables: reject duplicate device on updates
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: reject duplicate device on updates
A chain/flowtable update with duplicated devices in the same batch is
possible. Unfortunately, netdev event path only removes the first
device that is found, leaving unregistered the hook of the duplicated
device.
Check if a duplicated device exists in the transaction batch, bail out
with EEXIST in such case.
WARNING is hit when unregistering the hook:
[49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
[49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)
[...]
[49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
78d9f48f7f44431a25da2b46b3a8812f6ff2b981 , < 0521e694d5b80899fba8695881a6349f9bc538cb
(git)
Affected: 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 , < 4681960bc0f4f8bcc782cbf2fd205f48ad314dfd (git) Affected: 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 , < 4ce2a0c3b8497a66cfc25fc7ca3d087258a785d2 (git) Affected: 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 , < 3f358a66a04513311668ea4b40f5064e253d8386 (git) Affected: 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 , < cf23d531a9d496863aa4c5a0e2f71f0a23f3df3c (git) Affected: 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 , < d7615bde541f16517d6790412da6ec46fa8a4c1f (git) Affected: 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 , < cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 (git) |
|
| Linux | Linux |
Affected:
5.8
Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.16.2 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0521e694d5b80899fba8695881a6349f9bc538cb",
"status": "affected",
"version": "78d9f48f7f44431a25da2b46b3a8812f6ff2b981",
"versionType": "git"
},
{
"lessThan": "4681960bc0f4f8bcc782cbf2fd205f48ad314dfd",
"status": "affected",
"version": "78d9f48f7f44431a25da2b46b3a8812f6ff2b981",
"versionType": "git"
},
{
"lessThan": "4ce2a0c3b8497a66cfc25fc7ca3d087258a785d2",
"status": "affected",
"version": "78d9f48f7f44431a25da2b46b3a8812f6ff2b981",
"versionType": "git"
},
{
"lessThan": "3f358a66a04513311668ea4b40f5064e253d8386",
"status": "affected",
"version": "78d9f48f7f44431a25da2b46b3a8812f6ff2b981",
"versionType": "git"
},
{
"lessThan": "cf23d531a9d496863aa4c5a0e2f71f0a23f3df3c",
"status": "affected",
"version": "78d9f48f7f44431a25da2b46b3a8812f6ff2b981",
"versionType": "git"
},
{
"lessThan": "d7615bde541f16517d6790412da6ec46fa8a4c1f",
"status": "affected",
"version": "78d9f48f7f44431a25da2b46b3a8812f6ff2b981",
"versionType": "git"
},
{
"lessThan": "cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973",
"status": "affected",
"version": "78d9f48f7f44431a25da2b46b3a8812f6ff2b981",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:32:51.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0521e694d5b80899fba8695881a6349f9bc538cb"
},
{
"url": "https://git.kernel.org/stable/c/4681960bc0f4f8bcc782cbf2fd205f48ad314dfd"
},
{
"url": "https://git.kernel.org/stable/c/4ce2a0c3b8497a66cfc25fc7ca3d087258a785d2"
},
{
"url": "https://git.kernel.org/stable/c/3f358a66a04513311668ea4b40f5064e253d8386"
},
{
"url": "https://git.kernel.org/stable/c/cf23d531a9d496863aa4c5a0e2f71f0a23f3df3c"
},
{
"url": "https://git.kernel.org/stable/c/d7615bde541f16517d6790412da6ec46fa8a4c1f"
},
{
"url": "https://git.kernel.org/stable/c/cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973"
}
],
"title": "netfilter: nf_tables: reject duplicate device on updates",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38678",
"datePublished": "2025-09-03T13:01:15.799Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2026-05-11T21:32:51.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39805 (GCVE-0-2025-39805)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-05-11 21:36
VLAI
EPSS
Title
net: macb: fix unregister_netdev call order in macb_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix unregister_netdev call order in macb_remove()
When removing a macb device, the driver calls phy_exit() before
unregister_netdev(). This leads to a WARN from kernfs:
------------[ cut here ]------------
kernfs: can not remove 'attached_dev', no directory
WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683
Call trace:
kernfs_remove_by_name_ns+0xd8/0xf0
sysfs_remove_link+0x24/0x58
phy_detach+0x5c/0x168
phy_disconnect+0x4c/0x70
phylink_disconnect_phy+0x6c/0xc0 [phylink]
macb_close+0x6c/0x170 [macb]
...
macb_remove+0x60/0x168 [macb]
platform_remove+0x5c/0x80
...
The warning happens because the PHY is being exited while the netdev
is still registered. The correct order is to unregister the netdev
before shutting down the PHY and cleaning up the MDIO bus.
Fix this by moving unregister_netdev() ahead of phy_exit() in
macb_remove().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8b73fa3ae02b2401960de41b0454c0321377b203 , < 7351782f2fc8ac31ced52e3d4e6fa120f819a7ab
(git)
Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 2b9719ccad38dffad7dbdd2f39896f723f9b9011 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < ff0d3bad32108b57265e5b48f15327549af771d3 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 775fe690fd4a3337ad2115de2adb41b227d4dae7 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 01b9128c5db1b470575d07b05b67ffa3cb02ebf1 (git) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.119 , ≤ 6.6.* (semver) Unaffected: 6.12.45 , ≤ 6.12.* (semver) Unaffected: 6.16.5 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7351782f2fc8ac31ced52e3d4e6fa120f819a7ab",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "2b9719ccad38dffad7dbdd2f39896f723f9b9011",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "ff0d3bad32108b57265e5b48f15327549af771d3",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "775fe690fd4a3337ad2115de2adb41b227d4dae7",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "01b9128c5db1b470575d07b05b67ffa3cb02ebf1",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix unregister_netdev call order in macb_remove()\n\nWhen removing a macb device, the driver calls phy_exit() before\nunregister_netdev(). This leads to a WARN from kernfs:\n\n ------------[ cut here ]------------\n kernfs: can not remove \u0027attached_dev\u0027, no directory\n WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683\n Call trace:\n kernfs_remove_by_name_ns+0xd8/0xf0\n sysfs_remove_link+0x24/0x58\n phy_detach+0x5c/0x168\n phy_disconnect+0x4c/0x70\n phylink_disconnect_phy+0x6c/0xc0 [phylink]\n macb_close+0x6c/0x170 [macb]\n ...\n macb_remove+0x60/0x168 [macb]\n platform_remove+0x5c/0x80\n ...\n\nThe warning happens because the PHY is being exited while the netdev\nis still registered. The correct order is to unregister the netdev\nbefore shutting down the PHY and cleaning up the MDIO bus.\n\nFix this by moving unregister_netdev() ahead of phy_exit() in\nmacb_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:36:36.596Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7351782f2fc8ac31ced52e3d4e6fa120f819a7ab"
},
{
"url": "https://git.kernel.org/stable/c/2b9719ccad38dffad7dbdd2f39896f723f9b9011"
},
{
"url": "https://git.kernel.org/stable/c/ff0d3bad32108b57265e5b48f15327549af771d3"
},
{
"url": "https://git.kernel.org/stable/c/775fe690fd4a3337ad2115de2adb41b227d4dae7"
},
{
"url": "https://git.kernel.org/stable/c/01b9128c5db1b470575d07b05b67ffa3cb02ebf1"
}
],
"title": "net: macb: fix unregister_netdev call order in macb_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39805",
"datePublished": "2025-09-16T13:00:06.731Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2026-05-11T21:36:36.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40083 (GCVE-0-2025-40083)
Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2026-05-11 21:42
VLAI
EPSS
Title
net/sched: sch_qfq: Fix null-deref in agg_dequeue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix null-deref in agg_dequeue
To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)
when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return
value before using it, similar to the existing approach in sch_hfsc.c.
To avoid code duplication, the following changes are made:
1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static
inline function.
2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to
include/net/pkt_sched.h so that sch_qfq can reuse it.
3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
462dbc9101acd38e92eda93c0726857517a24bbd , < 71d84658a61322e5630c85c5388fc25e4a2d08b2
(git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 99fc137f178797204d36ac860dd8b31e35baa2df (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 1bed56f089f09b465420bf23bb32985c305cfc28 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 3c2a8994807623c7655ece205667ae2cf74940aa (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 6ffa9d66187188e3068b5a3895e6ae1ee34f9199 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 6ff8e74c8f8a68ec07ef837b95425dfe900d060f (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < dd831ac8221e691e9e918585b1003c7071df0379 (git) |
|
| Linux | Linux |
Affected:
3.8
Unaffected: 0 , < 3.8 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.116 , ≤ 6.6.* (semver) Unaffected: 6.12.57 , ≤ 6.12.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71d84658a61322e5630c85c5388fc25e4a2d08b2",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "99fc137f178797204d36ac860dd8b31e35baa2df",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "1bed56f089f09b465420bf23bb32985c305cfc28",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "3c2a8994807623c7655ece205667ae2cf74940aa",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "6ffa9d66187188e3068b5a3895e6ae1ee34f9199",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "6ff8e74c8f8a68ec07ef837b95425dfe900d060f",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "dd831ac8221e691e9e918585b1003c7071df0379",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.116",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.116",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix null-deref in agg_dequeue\n\nTo prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)\nwhen cl-\u003eqdisc-\u003eops-\u003epeek(cl-\u003eqdisc) returns NULL, we check the return\nvalue before using it, similar to the existing approach in sch_hfsc.c.\n\nTo avoid code duplication, the following changes are made:\n\n1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static\ninline function.\n\n2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to\ninclude/net/pkt_sched.h so that sch_qfq can reuse it.\n\n3. Applied qdisc_peek_len in agg_dequeue to avoid crashing."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:42:10.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71d84658a61322e5630c85c5388fc25e4a2d08b2"
},
{
"url": "https://git.kernel.org/stable/c/99fc137f178797204d36ac860dd8b31e35baa2df"
},
{
"url": "https://git.kernel.org/stable/c/1bed56f089f09b465420bf23bb32985c305cfc28"
},
{
"url": "https://git.kernel.org/stable/c/3c2a8994807623c7655ece205667ae2cf74940aa"
},
{
"url": "https://git.kernel.org/stable/c/6ffa9d66187188e3068b5a3895e6ae1ee34f9199"
},
{
"url": "https://git.kernel.org/stable/c/6ff8e74c8f8a68ec07ef837b95425dfe900d060f"
},
{
"url": "https://git.kernel.org/stable/c/dd831ac8221e691e9e918585b1003c7071df0379"
}
],
"title": "net/sched: sch_qfq: Fix null-deref in agg_dequeue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40083",
"datePublished": "2025-10-29T13:37:01.868Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2026-05-11T21:42:10.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40211 (GCVE-0-2025-40211)
Vulnerability from cvelistv5 – Published: 2025-11-21 10:21 – Updated: 2026-05-11 21:44
VLAI
EPSS
Title
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
The switch_brightness_work delayed work accesses device->brightness
and device->backlight, freed by acpi_video_dev_unregister_backlight()
during device removal.
If the work executes after acpi_video_bus_unregister_backlight()
frees these resources, it causes a use-after-free when
acpi_video_switch_brightness() dereferences device->brightness or
device->backlight.
Fix this by calling cancel_delayed_work_sync() for each device's
switch_brightness_work in acpi_video_bus_remove_notify_handler()
after removing the notify handler that queues the work. This ensures
the work completes before the memory is freed.
[ rjw: Changelog edit ]
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 3f803ccf5a0c043e7c8b83f6665b082401fc8bee
(git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < ba1704316492a0496c69334338ea1fdbf4c2fd34 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < bc78a4f51d548c1ccc3d1967c2b394bf687c86e9 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 4e85246ec0d019dfba86ba54d841ef6694f97149 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < de5fc93275a4a459fe2f7cb746984f2ab3e8292a (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 293125536ef5521328815fa7c76d5f9eb1635659 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 8f067aa59430266386b83c18b983ca583faa6a11 (git) |
|
| Linux | Linux |
Affected:
3.17
Unaffected: 0 , < 3.17 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f803ccf5a0c043e7c8b83f6665b082401fc8bee",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "ba1704316492a0496c69334338ea1fdbf4c2fd34",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "bc78a4f51d548c1ccc3d1967c2b394bf687c86e9",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "4e85246ec0d019dfba86ba54d841ef6694f97149",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "de5fc93275a4a459fe2f7cb746984f2ab3e8292a",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "293125536ef5521328815fa7c76d5f9eb1635659",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "8f067aa59430266386b83c18b983ca583faa6a11",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: Fix use-after-free in acpi_video_switch_brightness()\n\nThe switch_brightness_work delayed work accesses device-\u003ebrightness\nand device-\u003ebacklight, freed by acpi_video_dev_unregister_backlight()\nduring device removal.\n\nIf the work executes after acpi_video_bus_unregister_backlight()\nfrees these resources, it causes a use-after-free when\nacpi_video_switch_brightness() dereferences device-\u003ebrightness or\ndevice-\u003ebacklight.\n\nFix this by calling cancel_delayed_work_sync() for each device\u0027s\nswitch_brightness_work in acpi_video_bus_remove_notify_handler()\nafter removing the notify handler that queues the work. This ensures\nthe work completes before the memory is freed.\n\n[ rjw: Changelog edit ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:44:54.867Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f803ccf5a0c043e7c8b83f6665b082401fc8bee"
},
{
"url": "https://git.kernel.org/stable/c/ba1704316492a0496c69334338ea1fdbf4c2fd34"
},
{
"url": "https://git.kernel.org/stable/c/bc78a4f51d548c1ccc3d1967c2b394bf687c86e9"
},
{
"url": "https://git.kernel.org/stable/c/a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9"
},
{
"url": "https://git.kernel.org/stable/c/4e85246ec0d019dfba86ba54d841ef6694f97149"
},
{
"url": "https://git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a"
},
{
"url": "https://git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659"
},
{
"url": "https://git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11"
}
],
"title": "ACPI: video: Fix use-after-free in acpi_video_switch_brightness()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40211",
"datePublished": "2025-11-21T10:21:36.438Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2026-05-11T21:44:54.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40214 (GCVE-0-2025-40214)
Vulnerability from cvelistv5 – Published: 2025-12-04 12:38 – Updated: 2026-05-23 16:01
VLAI
EPSS
Title
af_unix: Initialise scc_index in unix_add_edge().
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Initialise scc_index in unix_add_edge().
Quang Le reported that the AF_UNIX GC could garbage-collect a
receive queue of an alive in-flight socket, with a nice repro.
The repro consists of three stages.
1)
1-a. Create a single cyclic reference with many sockets
1-b. close() all sockets
1-c. Trigger GC
2)
2-a. Pass sk-A to an embryo sk-B
2-b. Pass sk-X to sk-X
2-c. Trigger GC
3)
3-a. accept() the embryo sk-B
3-b. Pass sk-B to sk-C
3-c. close() the in-flight sk-A
3-d. Trigger GC
As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,
and unix_walk_scc() groups them into two different SCCs:
unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START)
unix_sk(sk-X)->vertex->scc_index = 3
Once GC completes, unix_graph_grouped is set to true.
Also, unix_graph_maybe_cyclic is set to true due to sk-X's
cyclic self-reference, which makes close() trigger GC.
At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and
links it to unix_unvisited_vertices.
unix_update_graph() is called at 3-a. and 3-b., but neither
unix_graph_grouped nor unix_graph_maybe_cyclic is changed
because both sk-B's listener and sk-C are not in-flight.
3-c decrements sk-A's file refcnt to 1.
Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast()
is finally called and iterates 3 sockets sk-A, sk-B, and sk-X:
sk-A -> sk-B (-> sk-C)
sk-X -> sk-X
This is totally fine. All of them are not yet close()d and
should be grouped into different SCCs.
However, unix_vertex_dead() misjudges that sk-A and sk-B are
in the same SCC and sk-A is dead.
unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong!
&&
sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree
^-- 1 in-flight count for sk-B
-> sk-A is dead !?
The problem is that unix_add_edge() does not initialise scc_index.
Stage 1) is used for heap spraying, making a newly allocated
vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START)
set by unix_walk_scc() at 1-c.
Let's track the max SCC index from the previous unix_walk_scc()
call and assign the max + 1 to a new vertex's scc_index.
This way, we can continue to avoid Tarjan's algorithm while
preventing misjudgments.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
adfb68b39b39767d6bfb53e48c4f19c183765686 , < 20003fbb9174121b27bd1da6ebe61542ac4c327d
(git)
Affected: d23802221f6755e104606864067c71af8cdb6788 , < 4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3 (git) Affected: ad081928a8b0f57f269df999a28087fce6f2b6ce , < db81ad20fd8aef7cc7d536c52ee5ea4c1f979128 (git) Affected: ad081928a8b0f57f269df999a28087fce6f2b6ce , < 1aa7e40ee850c9053e769957ce6541173891204d (git) Affected: ad081928a8b0f57f269df999a28087fce6f2b6ce , < 60e6489f8e3b086bd1130ad4450a2c112e863791 (git) Affected: 6.1.141 , < 6.1.159 (semver) Affected: 6.6.93 , < 6.6.117 (semver) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20003fbb9174121b27bd1da6ebe61542ac4c327d",
"status": "affected",
"version": "adfb68b39b39767d6bfb53e48c4f19c183765686",
"versionType": "git"
},
{
"lessThan": "4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3",
"status": "affected",
"version": "d23802221f6755e104606864067c71af8cdb6788",
"versionType": "git"
},
{
"lessThan": "db81ad20fd8aef7cc7d536c52ee5ea4c1f979128",
"status": "affected",
"version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
"versionType": "git"
},
{
"lessThan": "1aa7e40ee850c9053e769957ce6541173891204d",
"status": "affected",
"version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
"versionType": "git"
},
{
"lessThan": "60e6489f8e3b086bd1130ad4450a2c112e863791",
"status": "affected",
"version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
"versionType": "git"
},
{
"lessThan": "6.1.159",
"status": "affected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThan": "6.6.117",
"status": "affected",
"version": "6.6.93",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Initialise scc_index in unix_add_edge().\n\nQuang Le reported that the AF_UNIX GC could garbage-collect a\nreceive queue of an alive in-flight socket, with a nice repro.\n\nThe repro consists of three stages.\n\n 1)\n 1-a. Create a single cyclic reference with many sockets\n 1-b. close() all sockets\n 1-c. Trigger GC\n\n 2)\n 2-a. Pass sk-A to an embryo sk-B\n 2-b. Pass sk-X to sk-X\n 2-c. Trigger GC\n\n 3)\n 3-a. accept() the embryo sk-B\n 3-b. Pass sk-B to sk-C\n 3-c. close() the in-flight sk-A\n 3-d. Trigger GC\n\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\nand unix_walk_scc() groups them into two different SCCs:\n\n unix_sk(sk-A)-\u003evertex-\u003escc_index = 2 (UNIX_VERTEX_INDEX_START)\n unix_sk(sk-X)-\u003evertex-\u003escc_index = 3\n\nOnce GC completes, unix_graph_grouped is set to true.\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X\u0027s\ncyclic self-reference, which makes close() trigger GC.\n\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)-\u003evertex and\nlinks it to unix_unvisited_vertices.\n\nunix_update_graph() is called at 3-a. and 3-b., but neither\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\nbecause both sk-B\u0027s listener and sk-C are not in-flight.\n\n3-c decrements sk-A\u0027s file refcnt to 1.\n\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\n\n sk-A -\u003e sk-B (-\u003e sk-C)\n sk-X -\u003e sk-X\n\nThis is totally fine. All of them are not yet close()d and\nshould be grouped into different SCCs.\n\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\nin the same SCC and sk-A is dead.\n\n unix_sk(sk-A)-\u003escc_index == unix_sk(sk-B)-\u003escc_index \u003c-- Wrong!\n \u0026\u0026\n sk-A\u0027s file refcnt == unix_sk(sk-A)-\u003evertex-\u003eout_degree\n ^-- 1 in-flight count for sk-B\n -\u003e sk-A is dead !?\n\nThe problem is that unix_add_edge() does not initialise scc_index.\n\nStage 1) is used for heap spraying, making a newly allocated\nvertex have vertex-\u003escc_index == 2 (UNIX_VERTEX_INDEX_START)\nset by unix_walk_scc() at 1-c.\n\nLet\u0027s track the max SCC index from the previous unix_walk_scc()\ncall and assign the max + 1 to a new vertex\u0027s scc_index.\n\nThis way, we can continue to avoid Tarjan\u0027s algorithm while\npreventing misjudgments."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:01:41.569Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d"
},
{
"url": "https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3"
},
{
"url": "https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128"
},
{
"url": "https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d"
},
{
"url": "https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791"
}
],
"title": "af_unix: Initialise scc_index in unix_add_edge().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40214",
"datePublished": "2025-12-04T12:38:31.601Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2026-05-23T16:01:41.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…