Vulnerability-Lookup

CERTFR-2025-AVI-0966

Vulnerability from certfr_avis - Published: 2025-11-05 - Updated: 2025-11-05

De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	cbl2 golang 1.22.7-5
Microsoft	N/A	azl3 golang 1.23.12-1
Microsoft	N/A	cbl2 python-tensorboard 2.11.0-3
Microsoft	N/A	azl3 moby-engine 25.0.3-13
Microsoft	N/A	azl3 python-tensorboard 2.16.2-6
Microsoft	N/A	azl3 kernel 6.6.104.2-4
Microsoft	N/A	cbl2 msft-golang 1.24.8-1
Microsoft	N/A	azl3 gh 2.62.0-9
Microsoft	N/A	azl3 frr 9.1.1-3
Microsoft	N/A	azl3 xorg-x11-server-Xwayland 24.1.6-2 versions antérieures à 24.1.6-3
Microsoft	N/A	cbl2 libcontainers-common 20210626-7
Microsoft	N/A	cbl2 moby-engine 24.0.9-18
Microsoft	N/A	cbl2 frr 8.5.5-3
Microsoft	N/A	azl3 containerized-data-importer 1.57.0-16
Microsoft	N/A	azl3 skopeo 1.14.4-6
Microsoft	N/A	azl3 tensorflow 2.16.1-9
Microsoft	N/A	azl3 keras 3.3.3-4 versions antérieures à 3.3.3-5
Microsoft	N/A	cbl2 gcc 11.2.0-8
Microsoft	N/A	cbl2 keras 2.11.0-3
Microsoft	N/A	azl3 golang 1.25.3-1
Microsoft	N/A	cbl2 tensorflow 2.11.1-2
Microsoft	N/A	azl3 keras 3.3.3-4
Microsoft	N/A	azl3 gcc 13.2.0-7
Microsoft	N/A	cbl2 cri-o 1.22.3-16
Microsoft	N/A	cbl2 skopeo 1.14.2-12
Microsoft	N/A	cbl2 containerized-data-importer 1.55.0-25
Microsoft	N/A	cbl2 golang 1.18.8-10
Microsoft	N/A	azl3 libcontainers-common 20240213-3

References

Title

Publication Time

CVE-2025-12058 (GCVE-0-2025-12058)

Vulnerability from cvelistv5 – Published: 2025-10-29 08:48 – Updated: 2025-10-29 14:11

Title

Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF

Summary

The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path. * Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system. * Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server's behalf, resulting in an SSRF condition. The security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access.

Severity

5.9 (Medium)


                        
                          CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

Google

References

2 references

URL	Tags
https://github.com/keras-team/keras/security/advi…
https://github.com/keras-team/keras/pull/21751

Impacted products

1 product

Vendor	Product	Version
Keras	Keras	Affected: 0 , < 3.12.0 (date)

Date Public

2025-10-17 22:00

Credits

Jayashwa Singh Chauhan

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12058",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-29T14:07:04.803189Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-29T14:11:03.027Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Keras",
          "vendor": "Keras",
          "versions": [
            {
              "lessThan": "3.12.0",
              "status": "affected",
              "version": "0",
              "versionType": "date"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.12.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jayashwa Singh Chauhan"
        }
      ],
      "datePublic": "2025-10-17T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe \u003cb\u003e\u003ccode\u003eKeras.Model.load_model\u003c/code\u003e\u003c/b\u003e method, including when executed with the intended security mitigation \u003cb\u003e\u003ccode\u003esafe_mode=True\u003c/code\u003e\u003c/b\u003e, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF).\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis vulnerability stems from the way the \u003cb\u003e\u003ccode\u003eStringLookup\u003c/code\u003e\u003c/b\u003e layer is handled during model loading from a specially crafted \u003cb\u003e\u003ccode\u003e.keras\u003c/code\u003e\u003c/b\u003e archive. The constructor for the \u003ccode\u003eStringLookup\u003c/code\u003e layer accepts a \u003ccode\u003evocabulary\u003c/code\u003e argument that can specify a \u003cb\u003elocal file path\u003c/b\u003e or a \u003cb\u003eremote file path\u003c/b\u003e.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003e\u003cb\u003eArbitrary Local File Read:\u003c/b\u003e An attacker can create a malicious \u003ccode\u003e.keras\u003c/code\u003e file that embeds a local path in the \u003ccode\u003eStringLookup\u003c/code\u003e layer\u0027s configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via \u003ccode\u003eget_vocabulary()\u003c/code\u003e), allowing an attacker to \u003cb\u003eread arbitrary local files\u003c/b\u003e on the hosting system.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cb\u003eServer-Side Request Forgery (SSRF):\u003c/b\u003e Keras utilizes \u003cb\u003e\u003ccode\u003etf.io.gfile\u003c/code\u003e\u003c/b\u003e for file operations. Since \u003ccode\u003etf.io.gfile\u003c/code\u003e supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from \u003cb\u003earbitrary network endpoints\u003c/b\u003e on the server\u0027s behalf, resulting in an SSRF condition.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe security issue is that the feature allowing external path loading was \u003cb\u003enot properly restricted\u003c/b\u003e by the \u003ccode\u003esafe_mode=True\u003c/code\u003e flag, which was intended to prevent such unintended data access.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF).\n\n\nThis vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path.\n\n  *  Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer\u0027s configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system.\n\n\n  *  Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server\u0027s behalf, resulting in an SSRF condition.\n\n\nThe security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-221",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-221 Data Serialization External Entities Blowup"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T08:48:29.689Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/keras-team/keras/security/advisories/GHSA-qg93-c7p6-gg7f"
        },
        {
          "url": "https://github.com/keras-team/keras/pull/21751"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2025-12058",
    "datePublished": "2025-10-29T08:48:29.689Z",
    "dateReserved": "2025-10-22T07:39:21.715Z",
    "dateUpdated": "2025-10-29T14:11:03.027Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-12060 (GCVE-0-2025-12060)

Vulnerability from cvelistv5 – Published: 2025-10-30 17:10 – Updated: 2026-02-26 16:56

Title

Keras keras.utils.get_file Utility Path Traversal Vulnerability

Summary

The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).

Severity

8.9 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

Google

References

2 references

URL	Tags
https://github.com/keras-team/keras/pull/21760
https://github.com/keras-team/keras/security/advi…

Impacted products

1 product

Vendor	Product	Version
Keras	Keras	Affected: 3.0.0 , ≤ 3.11.3 (semver)

Credits

Krishna Gudimetla

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12060",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-01T03:55:52.825401Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T16:56:46.808Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/keras-team/keras/",
          "defaultStatus": "unaffected",
          "packageName": "util",
          "product": "Keras",
          "programFiles": [
            "get_file"
          ],
          "vendor": "Keras",
          "versions": [
            {
              "lessThanOrEqual": "3.11.3",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "3.11.3",
                  "versionStartIncluding": "3.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Krishna Gudimetla"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The \u003ccode\u003ekeras.utils.get_file\u003c/code\u003e API in Keras, when used with the \u003ccode\u003eextract=True\u003c/code\u003e option for tar archives, is vulnerable to a path traversal attack. The utility uses Python\u0027s \u003ccode\u003etarfile.extractall\u003c/code\u003e function without the \u003ccode\u003efilter=\"data\"\u003c/code\u003e feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python \u003ccode\u003etarfile\u003c/code\u003e weakness, identified as CVE-2025-4517.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNote that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python\u0027s tarfile.extractall function without the filter=\"data\" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517.\u00a0Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12)."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T17:10:43.868Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/keras-team/keras/pull/21760"
        },
        {
          "url": "https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Keras keras.utils.get_file Utility Path Traversal Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2025-12060",
    "datePublished": "2025-10-30T17:10:43.868Z",
    "dateReserved": "2025-10-22T10:17:29.108Z",
    "dateUpdated": "2026-02-26T16:56:46.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40083 (GCVE-0-2025-40083)

Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2026-05-11 21:42

Title

net/sched: sch_qfq: Fix null-deref in agg_dequeue

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix null-deref in agg_dequeue To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes are made: 1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static inline function. 2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to include/net/pkt_sched.h so that sch_qfq can reuse it. 3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/71d84658a61322e56…
https://git.kernel.org/stable/c/99fc137f178797204…
https://git.kernel.org/stable/c/1bed56f089f09b465…
https://git.kernel.org/stable/c/3c2a8994807623c76…
https://git.kernel.org/stable/c/6ffa9d66187188e30…
https://git.kernel.org/stable/c/6ff8e74c8f8a68ec0…
https://git.kernel.org/stable/c/dd831ac8221e691e9…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 71d84658a61322e5630c85c5388fc25e4a2d08b2 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 99fc137f178797204d36ac860dd8b31e35baa2df (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 1bed56f089f09b465420bf23bb32985c305cfc28 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 3c2a8994807623c7655ece205667ae2cf74940aa (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 6ffa9d66187188e3068b5a3895e6ae1ee34f9199 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 6ff8e74c8f8a68ec07ef837b95425dfe900d060f (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < dd831ac8221e691e9e918585b1003c7071df0379 (git)
Linux	Linux	Affected: 3.8 Unaffected: 0 , < 3.8 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.116 , ≤ 6.6.* (semver) Unaffected: 6.12.57 , ≤ 6.12.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/pkt_sched.h",
            "net/sched/sch_api.c",
            "net/sched/sch_hfsc.c",
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "71d84658a61322e5630c85c5388fc25e4a2d08b2",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "99fc137f178797204d36ac860dd8b31e35baa2df",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "1bed56f089f09b465420bf23bb32985c305cfc28",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "3c2a8994807623c7655ece205667ae2cf74940aa",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "6ffa9d66187188e3068b5a3895e6ae1ee34f9199",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "6ff8e74c8f8a68ec07ef837b95425dfe900d060f",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "dd831ac8221e691e9e918585b1003c7071df0379",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/pkt_sched.h",
            "net/sched/sch_api.c",
            "net/sched/sch_hfsc.c",
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.116",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.116",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.57",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix null-deref in agg_dequeue\n\nTo prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)\nwhen cl-\u003eqdisc-\u003eops-\u003epeek(cl-\u003eqdisc) returns NULL, we check the return\nvalue before using it, similar to the existing approach in sch_hfsc.c.\n\nTo avoid code duplication, the following changes are made:\n\n1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static\ninline function.\n\n2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to\ninclude/net/pkt_sched.h so that sch_qfq can reuse it.\n\n3. Applied qdisc_peek_len in agg_dequeue to avoid crashing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:42:10.831Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/71d84658a61322e5630c85c5388fc25e4a2d08b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/99fc137f178797204d36ac860dd8b31e35baa2df"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bed56f089f09b465420bf23bb32985c305cfc28"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c2a8994807623c7655ece205667ae2cf74940aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ffa9d66187188e3068b5a3895e6ae1ee34f9199"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ff8e74c8f8a68ec07ef837b95425dfe900d060f"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd831ac8221e691e9e918585b1003c7071df0379"
        }
      ],
      "title": "net/sched: sch_qfq: Fix null-deref in agg_dequeue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40083",
    "datePublished": "2025-10-29T13:37:01.868Z",
    "dateReserved": "2025-04-16T07:20:57.161Z",
    "dateUpdated": "2026-05-11T21:42:10.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40084 (GCVE-0-2025-40084)

Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2026-05-11 21:42

Title

ksmbd: transport_ipc: validate payload size before reading handle

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.

Severity

No CVSS data available.

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/a02e432d5130da4c7…
https://git.kernel.org/stable/c/2dc125f5da134c091…
https://git.kernel.org/stable/c/898d527ed94c19980…
https://git.kernel.org/stable/c/867ffd9d67285612d…
https://git.kernel.org/stable/c/6f40e50ceb99fc8ef…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < a02e432d5130da4c723aabe1205bac805889fdb2 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 2dc125f5da134c0915a840b62565c60a595673dd (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 898d527ed94c19980a4d848f10057f1fed578ffb (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 867ffd9d67285612da3f0498ca618297f8e41f01 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 (git)
Linux	Linux	Affected: 5.15 Unaffected: 0 , < 5.15 (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.115 , ≤ 6.6.* (semver) Unaffected: 6.12.56 , ≤ 6.12.* (semver) Unaffected: 6.17.6 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/transport_ipc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a02e432d5130da4c723aabe1205bac805889fdb2",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "2dc125f5da134c0915a840b62565c60a595673dd",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "898d527ed94c19980a4d848f10057f1fed578ffb",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "867ffd9d67285612da3f0498ca618297f8e41f01",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/transport_ipc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: transport_ipc: validate payload size before reading handle\n\nhandle_response() dereferences the payload as a 4-byte handle without\nverifying that the declared payload size is at least 4 bytes. A malformed\nor truncated message from ksmbd.mountd can lead to a 4-byte read past the\ndeclared payload size. Validate the size before dereferencing.\n\nThis is a minimal fix to guard the initial handle read."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:42:12.033Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a02e432d5130da4c723aabe1205bac805889fdb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dc125f5da134c0915a840b62565c60a595673dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/898d527ed94c19980a4d848f10057f1fed578ffb"
        },
        {
          "url": "https://git.kernel.org/stable/c/867ffd9d67285612da3f0498ca618297f8e41f01"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0"
        }
      ],
      "title": "ksmbd: transport_ipc: validate payload size before reading handle",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40084",
    "datePublished": "2025-10-29T13:37:03.185Z",
    "dateReserved": "2025-04-16T07:20:57.161Z",
    "dateUpdated": "2026-05-11T21:42:12.033Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40085 (GCVE-0-2025-40085)

Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2026-05-23 16:01

Title

ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/736159f7b296d7a95…
https://git.kernel.org/stable/c/8d19a7ab28c7b9c20…
https://git.kernel.org/stable/c/576312eb436326b44…
https://git.kernel.org/stable/c/bba7208765d26e5e3…
https://git.kernel.org/stable/c/8503ac1a62075a085…
https://git.kernel.org/stable/c/28412b489b088fb88…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5 , < 736159f7b296d7a95f7208eb4799639b1f8b16a0 (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < 8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < 576312eb436326b44b7010f4d9ae2b698df075ea (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < bba7208765d26e5e36b87f21dacc2780b064f41f (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < 8503ac1a62075a085402e42a386b5c627c821a51 (git) Affected: 39efc9c8a973ddff5918191525d1679d0fb368ea , < 28412b489b088fb88dff488305fd4e56bd47f6e4 (git) Affected: 9d4f4dc3cd38e412c29a7626489fe48b79ebbf6c (git) Affected: 52076a41c128146c9df4a157e972cb17019313b1 (git) Affected: 5.15.75 , < 5.15.196 (semver) Affected: 5.19.17 , < 5.20 (semver) Affected: 6.0.3 , < 6.1 (semver)
Linux	Linux	Affected: 6.1 Unaffected: 0 , < 6.1 (semver) Unaffected: 5.15.196 , ≤ 5.15.* (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.114 , ≤ 6.6.* (semver) Unaffected: 6.12.55 , ≤ 6.12.* (semver) Unaffected: 6.17.5 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/card.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "736159f7b296d7a95f7208eb4799639b1f8b16a0",
              "status": "affected",
              "version": "28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5",
              "versionType": "git"
            },
            {
              "lessThan": "8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb",
              "status": "affected",
              "version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
              "versionType": "git"
            },
            {
              "lessThan": "576312eb436326b44b7010f4d9ae2b698df075ea",
              "status": "affected",
              "version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
              "versionType": "git"
            },
            {
              "lessThan": "bba7208765d26e5e36b87f21dacc2780b064f41f",
              "status": "affected",
              "version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
              "versionType": "git"
            },
            {
              "lessThan": "8503ac1a62075a085402e42a386b5c627c821a51",
              "status": "affected",
              "version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
              "versionType": "git"
            },
            {
              "lessThan": "28412b489b088fb88dff488305fd4e56bd47f6e4",
              "status": "affected",
              "version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9d4f4dc3cd38e412c29a7626489fe48b79ebbf6c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "52076a41c128146c9df4a157e972cb17019313b1",
              "versionType": "git"
            },
            {
              "lessThan": "5.15.196",
              "status": "affected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThan": "5.20",
              "status": "affected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1",
              "status": "affected",
              "version": "6.0.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/card.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "5.15.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.55",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.5",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.19.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer deference in try_to_register_card\n\nIn try_to_register_card(), the return value of usb_ifnum_to_if() is\npassed directly to usb_interface_claimed() without a NULL check, which\nwill lead to a NULL pointer dereference when creating an invalid\nUSB audio device. Fix this by adding a check to ensure the interface\npointer is valid before passing it to usb_interface_claimed()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:01:24.342Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/736159f7b296d7a95f7208eb4799639b1f8b16a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb"
        },
        {
          "url": "https://git.kernel.org/stable/c/576312eb436326b44b7010f4d9ae2b698df075ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/bba7208765d26e5e36b87f21dacc2780b064f41f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8503ac1a62075a085402e42a386b5c627c821a51"
        },
        {
          "url": "https://git.kernel.org/stable/c/28412b489b088fb88dff488305fd4e56bd47f6e4"
        }
      ],
      "title": "ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40085",
    "datePublished": "2025-10-29T13:37:04.707Z",
    "dateReserved": "2025-04-16T07:20:57.161Z",
    "dateUpdated": "2026-05-23T16:01:24.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40087 (GCVE-0-2025-40087)

Vulnerability from cvelistv5 – Published: 2025-10-30 09:47 – Updated: 2026-05-11 21:42

Title

NFSD: Define a proc_layoutcommit for the FlexFiles layout type

Summary

In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/a75994dd879401c3e…
https://git.kernel.org/stable/c/34d187e020cbda112…
https://git.kernel.org/stable/c/ba88a53d7f5df4191…
https://git.kernel.org/stable/c/da9129ef77786839a…
https://git.kernel.org/stable/c/f7353208c91ab004e…
https://git.kernel.org/stable/c/a156af6a4dc38c2aa…
https://git.kernel.org/stable/c/785ec512afa80d054…
https://git.kernel.org/stable/c/4b47a8601b71ad988…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < a75994dd879401c3e24ff51c2536559f1a53ea27 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < 34d187e020cbda112a6c6f094f0ca5e6a8672b75 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < ba88a53d7f5df4191583abf214214efe0cda91d2 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < da9129ef77786839a3ccd1d7afeeab790bceaa1d (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < f7353208c91ab004e0179c5fb6c365b0f132f9f0 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < 785ec512afa80d0540f2ca797c0e56de747a6083 (git) Affected: 9b9960a0ca4773e21c4b153ed355583946346b25 , < 4b47a8601b71ad98833b447d465592d847b4dc77 (git)
Linux	Linux	Affected: 4.8 Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.196 , ≤ 5.15.* (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.114 , ≤ 6.6.* (semver) Unaffected: 6.12.55 , ≤ 6.12.* (semver) Unaffected: 6.17.5 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/flexfilelayout.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a75994dd879401c3e24ff51c2536559f1a53ea27",
              "status": "affected",
              "version": "9b9960a0ca4773e21c4b153ed355583946346b25",
              "versionType": "git"
            },
            {
              "lessThan": "34d187e020cbda112a6c6f094f0ca5e6a8672b75",
              "status": "affected",
              "version": "9b9960a0ca4773e21c4b153ed355583946346b25",
              "versionType": "git"
            },
            {
              "lessThan": "ba88a53d7f5df4191583abf214214efe0cda91d2",
              "status": "affected",
              "version": "9b9960a0ca4773e21c4b153ed355583946346b25",
              "versionType": "git"
            },
            {
              "lessThan": "da9129ef77786839a3ccd1d7afeeab790bceaa1d",
              "status": "affected",
              "version": "9b9960a0ca4773e21c4b153ed355583946346b25",
              "versionType": "git"
            },
            {
              "lessThan": "f7353208c91ab004e0179c5fb6c365b0f132f9f0",
              "status": "affected",
              "version": "9b9960a0ca4773e21c4b153ed355583946346b25",
              "versionType": "git"
            },
            {
              "lessThan": "a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4",
              "status": "affected",
              "version": "9b9960a0ca4773e21c4b153ed355583946346b25",
              "versionType": "git"
            },
            {
              "lessThan": "785ec512afa80d0540f2ca797c0e56de747a6083",
              "status": "affected",
              "version": "9b9960a0ca4773e21c4b153ed355583946346b25",
              "versionType": "git"
            },
            {
              "lessThan": "4b47a8601b71ad98833b447d465592d847b4dc77",
              "status": "affected",
              "version": "9b9960a0ca4773e21c4b153ed355583946346b25",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/flexfilelayout.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.55",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.5",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define a proc_layoutcommit for the FlexFiles layout type\n\nAvoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT\noperation on a FlexFiles layout."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:42:15.664Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a75994dd879401c3e24ff51c2536559f1a53ea27"
        },
        {
          "url": "https://git.kernel.org/stable/c/34d187e020cbda112a6c6f094f0ca5e6a8672b75"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba88a53d7f5df4191583abf214214efe0cda91d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/da9129ef77786839a3ccd1d7afeeab790bceaa1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7353208c91ab004e0179c5fb6c365b0f132f9f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4"
        },
        {
          "url": "https://git.kernel.org/stable/c/785ec512afa80d0540f2ca797c0e56de747a6083"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b47a8601b71ad98833b447d465592d847b4dc77"
        }
      ],
      "title": "NFSD: Define a proc_layoutcommit for the FlexFiles layout type",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40087",
    "datePublished": "2025-10-30T09:47:56.675Z",
    "dateReserved": "2025-04-16T07:20:57.162Z",
    "dateUpdated": "2026-05-11T21:42:15.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40088 (GCVE-0-2025-40088)

Vulnerability from cvelistv5 – Published: 2025-10-30 09:47 – Updated: 2026-05-11 21:42

Title

hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()

Summary

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] <TASK> [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/603158d4efa98a13a…
https://git.kernel.org/stable/c/ef250c3edd995d7bb…
https://git.kernel.org/stable/c/7ab44236b32ed41eb…
https://git.kernel.org/stable/c/b47a75b6f762321f9…
https://git.kernel.org/stable/c/4f5ab4a9c6abd8b0d…
https://git.kernel.org/stable/c/586c75dfd1d265c41…
https://git.kernel.org/stable/c/4bc081ba6c52b0c88…
https://git.kernel.org/stable/c/42520df65bf671895…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 603158d4efa98a13a746bd586c20f194f4a31ec8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ef250c3edd995d7bb5a5e5122ffad1c28a8686eb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7ab44236b32ed41eb0636797e8e8e885a2f3b18a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b47a75b6f762321f9eb6f31aab7bce47a37063b7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 586c75dfd1d265c4150f6529debb85c9d62e101f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4bc081ba6c52b0c88c92701e3fbc33c7e2277afb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 42520df65bf67189541a425f7d36b0b3e7bd7844 (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.196 , ≤ 5.15.* (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.114 , ≤ 6.6.* (semver) Unaffected: 6.12.55 , ≤ 6.12.* (semver) Unaffected: 6.17.5 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/hfsplus/unicode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "603158d4efa98a13a746bd586c20f194f4a31ec8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ef250c3edd995d7bb5a5e5122ffad1c28a8686eb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7ab44236b32ed41eb0636797e8e8e885a2f3b18a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b47a75b6f762321f9eb6f31aab7bce47a37063b7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "586c75dfd1d265c4150f6529debb85c9d62e101f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4bc081ba6c52b0c88c92701e3fbc33c7e2277afb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "42520df65bf67189541a425f7d36b0b3e7bd7844",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/hfsplus/unicode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.55",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()\n\nThe hfsplus_strcasecmp() logic can trigger the issue:\n\n[  117.317703][ T9855] ==================================================================\n[  117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490\n[  117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855\n[  117.319577][ T9855]\n[  117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)\n[  117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  117.319783][ T9855] Call Trace:\n[  117.319785][ T9855]  \u003cTASK\u003e\n[  117.319788][ T9855]  dump_stack_lvl+0x1c1/0x2a0\n[  117.319795][ T9855]  ? __virt_addr_valid+0x1c8/0x5c0\n[  117.319803][ T9855]  ? __pfx_dump_stack_lvl+0x10/0x10\n[  117.319808][ T9855]  ? rcu_is_watching+0x15/0xb0\n[  117.319816][ T9855]  ? lock_release+0x4b/0x3e0\n[  117.319821][ T9855]  ? __kasan_check_byte+0x12/0x40\n[  117.319828][ T9855]  ? __virt_addr_valid+0x1c8/0x5c0\n[  117.319835][ T9855]  ? __virt_addr_valid+0x4a5/0x5c0\n[  117.319842][ T9855]  print_report+0x17e/0x7e0\n[  117.319848][ T9855]  ? __virt_addr_valid+0x1c8/0x5c0\n[  117.319855][ T9855]  ? __virt_addr_valid+0x4a5/0x5c0\n[  117.319862][ T9855]  ? __phys_addr+0xd3/0x180\n[  117.319869][ T9855]  ? hfsplus_strcasecmp+0x1bc/0x490\n[  117.319876][ T9855]  kasan_report+0x147/0x180\n[  117.319882][ T9855]  ? hfsplus_strcasecmp+0x1bc/0x490\n[  117.319891][ T9855]  hfsplus_strcasecmp+0x1bc/0x490\n[  117.319900][ T9855]  ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10\n[  117.319906][ T9855]  hfs_find_rec_by_key+0xa9/0x1e0\n[  117.319913][ T9855]  __hfsplus_brec_find+0x18e/0x470\n[  117.319920][ T9855]  ? __pfx_hfsplus_bnode_find+0x10/0x10\n[  117.319926][ T9855]  ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[  117.319933][ T9855]  ? __pfx___hfsplus_brec_find+0x10/0x10\n[  117.319942][ T9855]  hfsplus_brec_find+0x28f/0x510\n[  117.319949][ T9855]  ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[  117.319956][ T9855]  ? __pfx_hfsplus_brec_find+0x10/0x10\n[  117.319963][ T9855]  ? __kmalloc_noprof+0x2a9/0x510\n[  117.319969][ T9855]  ? hfsplus_find_init+0x8c/0x1d0\n[  117.319976][ T9855]  hfsplus_brec_read+0x2b/0x120\n[  117.319983][ T9855]  hfsplus_lookup+0x2aa/0x890\n[  117.319990][ T9855]  ? __pfx_hfsplus_lookup+0x10/0x10\n[  117.320003][ T9855]  ? d_alloc_parallel+0x2f0/0x15e0\n[  117.320008][ T9855]  ? __lock_acquire+0xaec/0xd80\n[  117.320013][ T9855]  ? __pfx_d_alloc_parallel+0x10/0x10\n[  117.320019][ T9855]  ? __raw_spin_lock_init+0x45/0x100\n[  117.320026][ T9855]  ? __init_waitqueue_head+0xa9/0x150\n[  117.320034][ T9855]  __lookup_slow+0x297/0x3d0\n[  117.320039][ T9855]  ? __pfx___lookup_slow+0x10/0x10\n[  117.320045][ T9855]  ? down_read+0x1ad/0x2e0\n[  117.320055][ T9855]  lookup_slow+0x53/0x70\n[  117.320065][ T9855]  walk_component+0x2f0/0x430\n[  117.320073][ T9855]  path_lookupat+0x169/0x440\n[  117.320081][ T9855]  filename_lookup+0x212/0x590\n[  117.320089][ T9855]  ? __pfx_filename_lookup+0x10/0x10\n[  117.320098][ T9855]  ? strncpy_from_user+0x150/0x290\n[  117.320105][ T9855]  ? getname_flags+0x1e5/0x540\n[  117.320112][ T9855]  user_path_at+0x3a/0x60\n[  117.320117][ T9855]  __x64_sys_umount+0xee/0x160\n[  117.320123][ T9855]  ? __pfx___x64_sys_umount+0x10/0x10\n[  117.320129][ T9855]  ? do_syscall_64+0xb7/0x3a0\n[  117.320135][ T9855]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  117.320141][ T9855]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  117.320145][ T9855]  do_syscall_64+0xf3/0x3a0\n[  117.320150][ T9855]  ? exc_page_fault+0x9f/0xf0\n[  117.320154][ T9855]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  117.320158][ T9855] RIP: 0033:0x7f7dd7908b07\n[  117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08\n[  117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:42:16.856Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/603158d4efa98a13a746bd586c20f194f4a31ec8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef250c3edd995d7bb5a5e5122ffad1c28a8686eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ab44236b32ed41eb0636797e8e8e885a2f3b18a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b47a75b6f762321f9eb6f31aab7bce47a37063b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241"
        },
        {
          "url": "https://git.kernel.org/stable/c/586c75dfd1d265c4150f6529debb85c9d62e101f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4bc081ba6c52b0c88c92701e3fbc33c7e2277afb"
        },
        {
          "url": "https://git.kernel.org/stable/c/42520df65bf67189541a425f7d36b0b3e7bd7844"
        }
      ],
      "title": "hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40088",
    "datePublished": "2025-10-30T09:47:57.333Z",
    "dateReserved": "2025-04-16T07:20:57.162Z",
    "dateUpdated": "2026-05-11T21:42:16.856Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40092 (GCVE-0-2025-40092)

Vulnerability from cvelistv5 – Published: 2025-10-30 09:47 – Updated: 2026-05-11 21:42

Title

usb: gadget: f_ncm: Refactor bind path to use __free()

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/185193a4714aa9c78…
https://git.kernel.org/stable/c/f37de8dec6a4c379b…
https://git.kernel.org/stable/c/1cde4516295a030cb…
https://git.kernel.org/stable/c/d3fe7143928d8dfa2…
https://git.kernel.org/stable/c/ed78f4d6079d87243…
https://git.kernel.org/stable/c/75a5b8d4ddd4eb6b1…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < 185193a4714aa9c78437a7a1858fbe5771f0f45c (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < f37de8dec6a4c379b4b8486003a1de00ff8cff3b (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < 1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2 (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < d3fe7143928d8dfa2ec7bac9f906b48bc75b98ee (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < ed78f4d6079d872432b1ed54f155ef61965d3137 (git) Affected: 9f6ce4240a2bf456402c15c06768059e5973f28c , < 75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef (git)
Linux	Linux	Affected: 2.6.38 Unaffected: 0 , < 2.6.38 (semver) Unaffected: 5.15.196 , ≤ 5.15.* (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.114 , ≤ 6.6.* (semver) Unaffected: 6.12.55 , ≤ 6.12.* (semver) Unaffected: 6.17.5 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_ncm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "185193a4714aa9c78437a7a1858fbe5771f0f45c",
              "status": "affected",
              "version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
              "versionType": "git"
            },
            {
              "lessThan": "f37de8dec6a4c379b4b8486003a1de00ff8cff3b",
              "status": "affected",
              "version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
              "versionType": "git"
            },
            {
              "lessThan": "1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2",
              "status": "affected",
              "version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
              "versionType": "git"
            },
            {
              "lessThan": "d3fe7143928d8dfa2ec7bac9f906b48bc75b98ee",
              "status": "affected",
              "version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
              "versionType": "git"
            },
            {
              "lessThan": "ed78f4d6079d872432b1ed54f155ef61965d3137",
              "status": "affected",
              "version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
              "versionType": "git"
            },
            {
              "lessThan": "75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef",
              "status": "affected",
              "version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_ncm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.55",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.5",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the ncm-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nCall trace:\n usb_ep_free_request+0x2c/0xec\n ncm_bind+0x39c/0x3dc\n usb_add_function+0xcc/0x1f0\n configfs_composite_bind+0x468/0x588\n gadget_bind_driver+0x104/0x270\n really_probe+0x190/0x374\n __driver_probe_device+0xa0/0x12c\n driver_probe_device+0x3c/0x218\n __device_attach_driver+0x14c/0x188\n bus_for_each_drv+0x10c/0x168\n __device_attach+0xfc/0x198\n device_initial_probe+0x14/0x24\n bus_probe_device+0x94/0x11c\n device_add+0x268/0x48c\n usb_add_gadget+0x198/0x28c\n dwc3_gadget_init+0x700/0x858\n __dwc3_set_mode+0x3cc/0x664\n process_scheduled_works+0x1d8/0x488\n worker_thread+0x244/0x334\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:42:21.524Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/185193a4714aa9c78437a7a1858fbe5771f0f45c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f37de8dec6a4c379b4b8486003a1de00ff8cff3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3fe7143928d8dfa2ec7bac9f906b48bc75b98ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed78f4d6079d872432b1ed54f155ef61965d3137"
        },
        {
          "url": "https://git.kernel.org/stable/c/75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef"
        }
      ],
      "title": "usb: gadget: f_ncm: Refactor bind path to use __free()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40092",
    "datePublished": "2025-10-30T09:47:59.910Z",
    "dateReserved": "2025-04-16T07:20:57.163Z",
    "dateUpdated": "2026-05-11T21:42:21.524Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40094 (GCVE-0-2025-40094)

Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2026-05-11 21:42

Title

usb: gadget: f_acm: Refactor bind path to use __free()

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/c5d116862dd3ed162…
https://git.kernel.org/stable/c/2b1546f7c5fc6c445…
https://git.kernel.org/stable/c/e348d18fb0124b662…
https://git.kernel.org/stable/c/201a66d8e6630762e…
https://git.kernel.org/stable/c/c4301e4dd6b32facc…
https://git.kernel.org/stable/c/47b2116e54b4a8546…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < c5d116862dd3ed162d079738a5ebddf9fceea850 (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < 2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175 (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < e348d18fb0124b662cfefb3001733b49da428215 (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < 201a66d8e6630762e760e1d78f1d149da1691e7b (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < c4301e4dd6b32faccb744f1c2320e64235b68d3b (git) Affected: 1f1ba11b64947051fc32aa15fcccef6463b433f7 , < 47b2116e54b4a854600341487e8b55249e926324 (git)
Linux	Linux	Affected: 2.6.27 Unaffected: 0 , < 2.6.27 (semver) Unaffected: 5.15.196 , ≤ 5.15.* (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.114 , ≤ 6.6.* (semver) Unaffected: 6.12.55 , ≤ 6.12.* (semver) Unaffected: 6.17.5 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_acm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c5d116862dd3ed162d079738a5ebddf9fceea850",
              "status": "affected",
              "version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
              "versionType": "git"
            },
            {
              "lessThan": "2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175",
              "status": "affected",
              "version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
              "versionType": "git"
            },
            {
              "lessThan": "e348d18fb0124b662cfefb3001733b49da428215",
              "status": "affected",
              "version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
              "versionType": "git"
            },
            {
              "lessThan": "201a66d8e6630762e760e1d78f1d149da1691e7b",
              "status": "affected",
              "version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
              "versionType": "git"
            },
            {
              "lessThan": "c4301e4dd6b32faccb744f1c2320e64235b68d3b",
              "status": "affected",
              "version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
              "versionType": "git"
            },
            {
              "lessThan": "47b2116e54b4a854600341487e8b55249e926324",
              "status": "affected",
              "version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_acm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.27"
            },
            {
              "lessThan": "2.6.27",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.55",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.5",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_acm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the acm-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nCall trace:\n usb_ep_free_request+0x2c/0xec\n gs_free_req+0x30/0x44\n acm_bind+0x1b8/0x1f4\n usb_add_function+0xcc/0x1f0\n configfs_composite_bind+0x468/0x588\n gadget_bind_driver+0x104/0x270\n really_probe+0x190/0x374\n __driver_probe_device+0xa0/0x12c\n driver_probe_device+0x3c/0x218\n __device_attach_driver+0x14c/0x188\n bus_for_each_drv+0x10c/0x168\n __device_attach+0xfc/0x198\n device_initial_probe+0x14/0x24\n bus_probe_device+0x94/0x11c\n device_add+0x268/0x48c\n usb_add_gadget+0x198/0x28c\n dwc3_gadget_init+0x700/0x858\n __dwc3_set_mode+0x3cc/0x664\n process_scheduled_works+0x1d8/0x488\n worker_thread+0x244/0x334\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:42:23.912Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c5d116862dd3ed162d079738a5ebddf9fceea850"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175"
        },
        {
          "url": "https://git.kernel.org/stable/c/e348d18fb0124b662cfefb3001733b49da428215"
        },
        {
          "url": "https://git.kernel.org/stable/c/201a66d8e6630762e760e1d78f1d149da1691e7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4301e4dd6b32faccb744f1c2320e64235b68d3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/47b2116e54b4a854600341487e8b55249e926324"
        }
      ],
      "title": "usb: gadget: f_acm: Refactor bind path to use __free()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40094",
    "datePublished": "2025-10-30T09:48:02.446Z",
    "dateReserved": "2025-04-16T07:20:57.163Z",
    "dateUpdated": "2026-05-11T21:42:23.912Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40095 (GCVE-0-2025-40095)

Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2026-05-11 21:42

Title

usb: gadget: f_rndis: Refactor bind path to use __free()

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.

Severity

No CVSS data available.

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/ef81226bb1f8b6e76…
https://git.kernel.org/stable/c/5f65c8ad8c7292ed7…
https://git.kernel.org/stable/c/380353c3a92be7d92…
https://git.kernel.org/stable/c/a8366263b7e5b663d…
https://git.kernel.org/stable/c/08228941436047bdc…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1 (git) Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < 5f65c8ad8c7292ed7e3716343fcd590a51818cc3 (git) Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < 380353c3a92be7d928e6f973bd065c5b79755ac3 (git) Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < a8366263b7e5b663d7fb489d3a9ba1e2600049a6 (git) Affected: 45fe3b8e5342cd1ce307099459c74011d8e01986 , < 08228941436047bdcd35a612c1aec0912a29d8cd (git)
Linux	Linux	Affected: 2.6.27 Unaffected: 0 , < 2.6.27 (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.114 , ≤ 6.6.* (semver) Unaffected: 6.12.55 , ≤ 6.12.* (semver) Unaffected: 6.17.5 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_rndis.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1",
              "status": "affected",
              "version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
              "versionType": "git"
            },
            {
              "lessThan": "5f65c8ad8c7292ed7e3716343fcd590a51818cc3",
              "status": "affected",
              "version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
              "versionType": "git"
            },
            {
              "lessThan": "380353c3a92be7d928e6f973bd065c5b79755ac3",
              "status": "affected",
              "version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
              "versionType": "git"
            },
            {
              "lessThan": "a8366263b7e5b663d7fb489d3a9ba1e2600049a6",
              "status": "affected",
              "version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
              "versionType": "git"
            },
            {
              "lessThan": "08228941436047bdcd35a612c1aec0912a29d8cd",
              "status": "affected",
              "version": "45fe3b8e5342cd1ce307099459c74011d8e01986",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_rndis.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.27"
            },
            {
              "lessThan": "2.6.27",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.55",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.5",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_rndis: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the rndis-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:42:25.047Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f65c8ad8c7292ed7e3716343fcd590a51818cc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/380353c3a92be7d928e6f973bd065c5b79755ac3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8366263b7e5b663d7fb489d3a9ba1e2600049a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/08228941436047bdcd35a612c1aec0912a29d8cd"
        }
      ],
      "title": "usb: gadget: f_rndis: Refactor bind path to use __free()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40095",
    "datePublished": "2025-10-30T09:48:03.276Z",
    "dateReserved": "2025-04-16T07:20:57.163Z",
    "dateUpdated": "2026-05-11T21:42:25.047Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0966

Solutions

CVE-2025-12058 (GCVE-0-2025-12058)

CVE-2025-12060 (GCVE-0-2025-12060)

CVE-2025-40083 (GCVE-0-2025-40083)

CVE-2025-40084 (GCVE-0-2025-40084)

CVE-2025-40085 (GCVE-0-2025-40085)

CVE-2025-40087 (GCVE-0-2025-40087)

CVE-2025-40088 (GCVE-0-2025-40088)

CVE-2025-40092 (GCVE-0-2025-40092)

CVE-2025-40094 (GCVE-0-2025-40094)

CVE-2025-40095 (GCVE-0-2025-40095)

Tags

Sightings

Nomenclature