Vulnerability-Lookup

CERTFR-2025-AVI-1082

Vulnerability from certfr_avis - Published: 2025-12-09 - Updated: 2025-12-09

De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	cbl2 cni-plugins 1.3.0-9
Microsoft	N/A	cbl2 cf-cli 8.4.0-25
Microsoft	N/A	cbl2 kube-vip-cloud-provider 0.0.2-23
Microsoft	N/A	azl3 httpd 2.4.65-1
Microsoft	N/A	azl3 cni-plugins 1.4.0-3
Microsoft	N/A	azl3 kata-containers-cc 3.15.0.aks0-5
Microsoft	N/A	cbl2 dcos-cli 1.2.0-22
Microsoft	N/A	cbl2 jx 3.2.236-23
Microsoft	N/A	cbl2 cert-manager 1.11.2-24
Microsoft	N/A	azl3 dcos-cli 1.2.0-19
Microsoft	N/A	azl3 kubernetes 1.30.10-16
Microsoft	N/A	azl3 flannel 0.24.2-21
Microsoft	N/A	azl3 kernel 6.6.112.1-2
Microsoft	N/A	cbl2 influxdb 2.6.1-24
Microsoft	N/A	cbl2 containerized-data-importer 1.55.0-26
Microsoft	N/A	azl3 kernel 6.6.117.1-1
Microsoft	N/A	cbl2 flannel 0.14.0-26
Microsoft	N/A	cbl2 libcontainers-common 20210626-7
Microsoft	N/A	cbl2 kata-containers-cc 3.2.0.azl2-8
Microsoft	N/A	azl3 containerized-data-importer 1.57.0-17
Microsoft	N/A	cbl2 kubevirt 0.59.0-31
Microsoft	N/A	cbl2 moby-compose 2.17.3-12
Microsoft	N/A	cbl2 cri-o 1.22.3-17
Microsoft	N/A	cbl2 httpd 2.4.65-1
Microsoft	N/A	azl3 kata-containers 3.19.1.kata2-2
Microsoft	N/A	cbl2 kubernetes 1.28.4-19
Microsoft	N/A	cbl2 moby-buildx 0.7.1-26
Microsoft	N/A	cbl2 local-path-provisioner 0.0.21-19
Microsoft	N/A	cbl2 prometheus 2.37.9-5
Microsoft	N/A	azl3 influxdb 2.7.5-8
Microsoft	N/A	cbl2 kata-containers 3.2.0.azl2-7
Microsoft	N/A	azl3 libcontainers-common 20240213-3

References

Title

Publication Time

CVE-2023-53749 (GCVE-0-2023-53749)

Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-29 14:56

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2025-12-29T14:56:30.742Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53749",
    "datePublished": "2025-12-08T01:19:08.617Z",
    "dateRejected": "2025-12-29T14:56:30.742Z",
    "dateReserved": "2025-12-08T01:18:04.279Z",
    "dateUpdated": "2025-12-29T14:56:30.742Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40268 (GCVE-0-2025-40268)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-05-11 21:46

Title

cifs: client: fix memory leak in smb3_fs_context_parse_param

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438

Severity

No CVSS data available.

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/868fc62811d3fabcf…
https://git.kernel.org/stable/c/48c17341577e25a22…
https://git.kernel.org/stable/c/4515743cc7a42e1d6…
https://git.kernel.org/stable/c/e8c73eb7db0a498cd…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 868fc62811d3fabcf5685e14f36377a855d5412d (git) Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 48c17341577e25a22feb13d694374b61d974edbc (git) Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 4515743cc7a42e1d67468402a6420c195532a6fa (git) Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 (git)
Linux	Linux	Affected: 5.11 Unaffected: 0 , < 5.11 (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "868fc62811d3fabcf5685e14f36377a855d5412d",
              "status": "affected",
              "version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
              "versionType": "git"
            },
            {
              "lessThan": "48c17341577e25a22feb13d694374b61d974edbc",
              "status": "affected",
              "version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
              "versionType": "git"
            },
            {
              "lessThan": "4515743cc7a42e1d67468402a6420c195532a6fa",
              "status": "affected",
              "version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
              "versionType": "git"
            },
            {
              "lessThan": "e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6",
              "status": "affected",
              "version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: client: fix memory leak in smb3_fs_context_parse_param\n\nThe user calls fsconfig twice, but when the program exits, free() only\nfrees ctx-\u003esource for the second fsconfig, not the first.\nRegarding fc-\u003esource, there is no code in the fs context related to its\nmemory reclamation.\n\nTo fix this memory leak, release the source memory corresponding to ctx\nor fc before each parsing.\n\nsyzbot reported:\nBUG: memory leak\nunreferenced object 0xffff888128afa360 (size 96):\n  backtrace (crc 79c9c7ba):\n    kstrdup+0x3c/0x80 mm/util.c:84\n    smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444\n\nBUG: memory leak\nunreferenced object 0xffff888112c7d900 (size 96):\n  backtrace (crc 79c9c7ba):\n    smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629\n    smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:46:04.012Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/868fc62811d3fabcf5685e14f36377a855d5412d"
        },
        {
          "url": "https://git.kernel.org/stable/c/48c17341577e25a22feb13d694374b61d974edbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/4515743cc7a42e1d67468402a6420c195532a6fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6"
        }
      ],
      "title": "cifs: client: fix memory leak in smb3_fs_context_parse_param",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40268",
    "datePublished": "2025-12-06T21:50:48.917Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2026-05-11T21:46:04.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40269 (GCVE-0-2025-40269)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-05-23 16:01

Title

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].

Severity

No CVSS data available.

Assigner

Linux

References

13 references

URL	Tags
https://git.kernel.org/stable/c/480a1490c595a242f…
https://git.kernel.org/stable/c/ab0b5e92fc36ee82c…
https://git.kernel.org/stable/c/282aba56713bbc581…
https://git.kernel.org/stable/c/c4dc012b027c9eb10…
https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b…
https://git.kernel.org/stable/c/d67dde02049e632ba…
https://git.kernel.org/stable/c/6a5da3fa80affc948…
https://git.kernel.org/stable/c/217d47255a2ec8b24…
https://git.kernel.org/stable/c/ef592bf2232a2daa9…
https://git.kernel.org/stable/c/ece3b981bb6620e47…
https://git.kernel.org/stable/c/98e9d5e33bda8db87…
https://git.kernel.org/stable/c/d2c04f20ccc6c0d21…
https://git.kernel.org/stable/c/05a1fc5efdd8560f3…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 02c56650f3c118d3752122996d96173d26bb13aa , < 480a1490c595a242f27493a4544b3efb21b29f6a (git) Affected: 5ef30e443e6d3654cccecec99cf481a69a0a6d3b , < ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41 (git) Affected: 99703c921864a318e3e8aae74fde071b1ff35bea , < 282aba56713bbc58155716b55ca7222b2d9cf3c8 (git) Affected: 2d50acd7dbd0682a56968ad9551341d7fc5b6eaf , < c4dc012b027c9eb101583011089dea14d744e314 (git) Affected: aba41867dd66939d336fdf604e4d73b805d8039f , < e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360 (git) Affected: d288dc74f8cf95cb7ae0aaf245b7128627a49bf3 , < d67dde02049e632ba58d3c44a164a74b6a737154 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 6a5da3fa80affc948923f20a4e086177f505e86e (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 217d47255a2ec8b246f2725f5db9ac3f1d4109d7 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ef592bf2232a2daa9fffa8881881fc9957ea56e9 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ece3b981bb6620e47fac826a2156c090b1a936a0 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 98e9d5e33bda8db875cc1a4fe99c192658e45ab6 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < d2c04f20ccc6c0d219e6d3038bab45bc66a178ad (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf (git) Affected: 4.4.229 , < 4.4.230 (semver) Affected: 4.9.229 , < 4.9.230 (semver) Affected: 4.14.186 , < 4.14.188 (semver) Affected: 4.19.130 , < 4.19.132 (semver) Affected: 5.4.49 , < 5.4.51 (semver) Affected: 5.7.6 , < 5.7.8 (semver)
Linux	Linux	Affected: 5.8 Unaffected: 0 , < 5.8 (semver) Unaffected: 4.4.230 , ≤ 4.4.* (semver) Unaffected: 4.9.230 , ≤ 4.9.* (semver) Unaffected: 4.14.188 , ≤ 4.14.* (semver) Unaffected: 4.19.132 , ≤ 4.19.* (semver) Unaffected: 5.4.51 , ≤ 5.4.* (semver) Unaffected: 5.7.8 , ≤ 5.7.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/endpoint.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "480a1490c595a242f27493a4544b3efb21b29f6a",
              "status": "affected",
              "version": "02c56650f3c118d3752122996d96173d26bb13aa",
              "versionType": "git"
            },
            {
              "lessThan": "ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41",
              "status": "affected",
              "version": "5ef30e443e6d3654cccecec99cf481a69a0a6d3b",
              "versionType": "git"
            },
            {
              "lessThan": "282aba56713bbc58155716b55ca7222b2d9cf3c8",
              "status": "affected",
              "version": "99703c921864a318e3e8aae74fde071b1ff35bea",
              "versionType": "git"
            },
            {
              "lessThan": "c4dc012b027c9eb101583011089dea14d744e314",
              "status": "affected",
              "version": "2d50acd7dbd0682a56968ad9551341d7fc5b6eaf",
              "versionType": "git"
            },
            {
              "lessThan": "e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360",
              "status": "affected",
              "version": "aba41867dd66939d336fdf604e4d73b805d8039f",
              "versionType": "git"
            },
            {
              "lessThan": "d67dde02049e632ba58d3c44a164a74b6a737154",
              "status": "affected",
              "version": "d288dc74f8cf95cb7ae0aaf245b7128627a49bf3",
              "versionType": "git"
            },
            {
              "lessThan": "6a5da3fa80affc948923f20a4e086177f505e86e",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "217d47255a2ec8b246f2725f5db9ac3f1d4109d7",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "ef592bf2232a2daa9fffa8881881fc9957ea56e9",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "ece3b981bb6620e47fac826a2156c090b1a936a0",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "98e9d5e33bda8db875cc1a4fe99c192658e45ab6",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "d2c04f20ccc6c0d219e6d3038bab45bc66a178ad",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "4.4.230",
              "status": "affected",
              "version": "4.4.229",
              "versionType": "semver"
            },
            {
              "lessThan": "4.9.230",
              "status": "affected",
              "version": "4.9.229",
              "versionType": "semver"
            },
            {
              "lessThan": "4.14.188",
              "status": "affected",
              "version": "4.14.186",
              "versionType": "semver"
            },
            {
              "lessThan": "4.19.132",
              "status": "affected",
              "version": "4.19.130",
              "versionType": "semver"
            },
            {
              "lessThan": "5.4.51",
              "status": "affected",
              "version": "5.4.49",
              "versionType": "semver"
            },
            {
              "lessThan": "5.7.8",
              "status": "affected",
              "version": "5.7.6",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/endpoint.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.4.*",
              "status": "unaffected",
              "version": "4.4.230",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.230",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.188",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.7.*",
              "status": "unaffected",
              "version": "5.7.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.4.230",
                  "versionStartIncluding": "4.4.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.230",
                  "versionStartIncluding": "4.9.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.188",
                  "versionStartIncluding": "4.14.186",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.132",
                  "versionStartIncluding": "4.19.130",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.51",
                  "versionStartIncluding": "5.4.49",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.7.8",
                  "versionStartIncluding": "5.7.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential overflow of PCM transfer buffer\n\nThe PCM stream data in USB-audio driver is transferred over USB URB\npacket buffers, and each packet size is determined dynamically.  The\npacket sizes are limited by some factors such as wMaxPacketSize USB\ndescriptor.  OTOH, in the current code, the actually used packet sizes\nare determined only by the rate and the PPS, which may be bigger than\nthe size limit above.  This results in a buffer overflow, as reported\nby syzbot.\n\nBasically when the limit is smaller than the calculated packet size,\nit implies that something is wrong, most likely a weird USB\ndescriptor.  So the best option would be just to return an error at\nthe parameter setup time before doing any further operations.\n\nThis patch introduces such a sanity check, and returns -EINVAL when\nthe packet size is greater than maxpacksize.  The comparison with\nep-\u003epacksize[1] alone should suffice since it\u0027s always equal or\ngreater than ep-\u003epacksize[0]."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:01:53.873Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41"
        },
        {
          "url": "https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360"
        },
        {
          "url": "https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a5da3fa80affc948923f20a4e086177f505e86e"
        },
        {
          "url": "https://git.kernel.org/stable/c/217d47255a2ec8b246f2725f5db9ac3f1d4109d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef592bf2232a2daa9fffa8881881fc9957ea56e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ece3b981bb6620e47fac826a2156c090b1a936a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/98e9d5e33bda8db875cc1a4fe99c192658e45ab6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2c04f20ccc6c0d219e6d3038bab45bc66a178ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf"
        }
      ],
      "title": "ALSA: usb-audio: Fix potential overflow of PCM transfer buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40269",
    "datePublished": "2025-12-06T21:50:50.229Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2026-05-23T16:01:53.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40272 (GCVE-0-2025-40272)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-05-11 21:46

Title

mm/secretmem: fix use-after-free race in fault handler

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/bb1c19636aedae393…
https://git.kernel.org/stable/c/1e4643d6628edf9c0…
https://git.kernel.org/stable/c/42d486d35a4143cc3…
https://git.kernel.org/stable/c/52f2d5cf33de9a8f5…
https://git.kernel.org/stable/c/4444767e625da4600…
https://git.kernel.org/stable/c/6f86d0534fddfbd08…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < bb1c19636aedae39360e6fdbcaef4f2bcff25785 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 1e4643d6628edf9c0047b1f8f5bc574665025acb (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 42d486d35a4143cc37fc72ee66edc99d942dd367 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 4444767e625da46009fc94a453fd1967b80ba047 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 6f86d0534fddfbd08687fa0f01479d4226bc3c3d (git)
Linux	Linux	Affected: 5.14 Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/secretmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bb1c19636aedae39360e6fdbcaef4f2bcff25785",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "1e4643d6628edf9c0047b1f8f5bc574665025acb",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "42d486d35a4143cc37fc72ee66edc99d942dd367",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "4444767e625da46009fc94a453fd1967b80ba047",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "6f86d0534fddfbd08687fa0f01479d4226bc3c3d",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/secretmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix use-after-free race in fault handler\n\nWhen a page fault occurs in a secret memory file created with\n`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the\nunderlying page as not-present in the direct map, and add it to the file\nmapping.\n\nIf two tasks cause a fault in the same page concurrently, both could end\nup allocating a folio and removing the page from the direct map, but only\none would succeed in adding the folio to the file mapping.  The task that\nfailed undoes the effects of its attempt by (a) freeing the folio again\nand (b) putting the page back into the direct map.  However, by doing\nthese two operations in this order, the page becomes available to the\nallocator again before it is placed back in the direct mapping.\n\nIf another task attempts to allocate the page between (a) and (b), and the\nkernel tries to access it via the direct map, it would result in a\nsupervisor not-present page fault.\n\nFix the ordering to restore the direct map before the folio is freed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:46:08.590Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb"
        },
        {
          "url": "https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367"
        },
        {
          "url": "https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649"
        },
        {
          "url": "https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d"
        }
      ],
      "title": "mm/secretmem: fix use-after-free race in fault handler",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40272",
    "datePublished": "2025-12-06T21:50:54.629Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2026-05-11T21:46:08.590Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40273 (GCVE-0-2025-40273)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-05-11 21:46

Title

NFSD: free copynotify stateid in nfs4_free_ol_stateid()

Summary

In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/935a2dc8928670bb2…
https://git.kernel.org/stable/c/b114996a095da39e3…
https://git.kernel.org/stable/c/839f56f626723f369…
https://git.kernel.org/stable/c/29fbb3ad4018ca2b0…
https://git.kernel.org/stable/c/d7be15a634aa38748…
https://git.kernel.org/stable/c/f67ad9b33b0e6f00d…
https://git.kernel.org/stable/c/4aa17144d5abc3c75…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 935a2dc8928670bb2c37e21025331e61ec48ccf4 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < b114996a095da39e38410a0328d4a8aca8c36088 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 839f56f626723f36904764858467e7a3881b975d (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < d7be15a634aa3874827d0d3ea47452ee878b8df7 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 4aa17144d5abc3c756883e3a010246f0dba8b468 (git)
Linux	Linux	Affected: 5.6 Unaffected: 0 , < 5.6 (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "935a2dc8928670bb2c37e21025331e61ec48ccf4",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "b114996a095da39e38410a0328d4a8aca8c36088",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "839f56f626723f36904764858467e7a3881b975d",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "d7be15a634aa3874827d0d3ea47452ee878b8df7",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "4aa17144d5abc3c756883e3a010246f0dba8b468",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: free copynotify stateid in nfs4_free_ol_stateid()\n\nTypically copynotify stateid is freed either when parent\u0027s stateid\nis being close/freed or in nfsd4_laundromat if the stateid hasn\u0027t\nbeen used in a lease period.\n\nHowever, in case when the server got an OPEN (which created\na parent stateid), followed by a COPY_NOTIFY using that stateid,\nfollowed by a client reboot. New client instance while doing\nCREATE_SESSION would force expire previous state of this client.\nIt leads to the open state being freed thru release_openowner-\u003e\nnfs4_free_ol_stateid() and it finds that it still has copynotify\nstateid associated with it. We currently print a warning and is\ntriggerred\n\nWARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]\n\nThis patch, instead, frees the associated copynotify stateid here.\n\nIf the parent stateid is freed (without freeing the copynotify\nstateids associated with it), it leads to the list corruption\nwhen laundromat ends up freeing the copynotify state later.\n\n[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP\n[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink\n[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G    B   W           6.17.0-rc7+ #22 PREEMPT(voluntary)\n[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN\n[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024\n[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]\n[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.861182] sp : ffff8000881d7a40\n[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200\n[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20\n[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8\n[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000\n[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065\n[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3\n[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000\n[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001\n[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000\n[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d\n[ 1626.868167] Call trace:\n[ 1626.868382]  __list_del_entry_valid_or_report+0x148/0x200 (P)\n[ 1626.868876]  _free_cpntf_state_locked+0xd0/0x268 [nfsd]\n[ 1626.869368]  nfs4_laundromat+0x6f8/0x1058 [nfsd]\n[ 1626.869813]  laundromat_main+0x24/0x60 [nfsd]\n[ 1626.870231]  process_one_work+0x584/0x1050\n[ 1626.870595]  worker_thread+0x4c4/0xc60\n[ 1626.870893]  kthread+0x2f8/0x398\n[ 1626.871146]  ret_from_fork+0x10/0x20\n[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)\n[ 1626.871892] SMP: stopping secondary CPUs"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:46:09.731Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/935a2dc8928670bb2c37e21025331e61ec48ccf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b114996a095da39e38410a0328d4a8aca8c36088"
        },
        {
          "url": "https://git.kernel.org/stable/c/839f56f626723f36904764858467e7a3881b975d"
        },
        {
          "url": "https://git.kernel.org/stable/c/29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7be15a634aa3874827d0d3ea47452ee878b8df7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/4aa17144d5abc3c756883e3a010246f0dba8b468"
        }
      ],
      "title": "NFSD: free copynotify stateid in nfs4_free_ol_stateid()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40273",
    "datePublished": "2025-12-06T21:50:55.723Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2026-05-11T21:46:09.731Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40275 (GCVE-0-2025-40275)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-05-11 21:46

Title

ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/23aea9c74aeea2625…
https://git.kernel.org/stable/c/c5c08965ab96b1636…
https://git.kernel.org/stable/c/9f282104627be5fbd…
https://git.kernel.org/stable/c/2762d3ea9c929ca40…
https://git.kernel.org/stable/c/57f607c112966c212…
https://git.kernel.org/stable/c/cbdbfc756f2990942…
https://git.kernel.org/stable/c/85568535893600024…
https://git.kernel.org/stable/c/632108ec072ad64c8…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 9f282104627be5fbded3102ff9004f753c55a063 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 2762d3ea9c929ca4094541ca517c317ffa94625b (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 57f607c112966c21240c424b33e2cb71e121dcf0 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < cbdbfc756f2990942138ed0138da9303b4dbf9ff (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 85568535893600024d7d8794f4f8b6428b521e0c (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 632108ec072ad64c8c83db6e16a7efee29ebfb74 (git)
Linux	Linux	Affected: 4.18 Unaffected: 0 , < 4.18 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/mixer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "9f282104627be5fbded3102ff9004f753c55a063",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "2762d3ea9c929ca4094541ca517c317ffa94625b",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "57f607c112966c21240c424b33e2cb71e121dcf0",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "cbdbfc756f2990942138ed0138da9303b4dbf9ff",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "85568535893600024d7d8794f4f8b6428b521e0c",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "632108ec072ad64c8c83db6e16a7efee29ebfb74",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/mixer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd\n\nIn snd_usb_create_streams(), for UAC version 3 devices, the Interface\nAssociation Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this\ncall fails, a fallback routine attempts to obtain the IAD from the next\ninterface and sets a BADD profile. However, snd_usb_mixer_controls_badd()\nassumes that the IAD retrieved from usb_ifnum_to_if() is always valid,\nwithout performing a NULL check. This can lead to a NULL pointer\ndereference when usb_ifnum_to_if() fails to find the interface descriptor.\n\nThis patch adds a NULL pointer check after calling usb_ifnum_to_if() in\nsnd_usb_mixer_controls_badd() to prevent the dereference.\n\nThis issue was discovered by syzkaller, which triggered the bug by sending\na crafted USB device descriptor."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:46:11.980Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063"
        },
        {
          "url": "https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b"
        },
        {
          "url": "https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74"
        }
      ],
      "title": "ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40275",
    "datePublished": "2025-12-06T21:50:57.914Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2026-05-11T21:46:11.980Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40277 (GCVE-0-2025-40277)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-05-11 21:46

Title

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/e58559845021c3bad…
https://git.kernel.org/stable/c/54d458b244893e47b…
https://git.kernel.org/stable/c/709e5c088f9c99a5c…
https://git.kernel.org/stable/c/a3abb54c27b2c393c…
https://git.kernel.org/stable/c/b5df9e06eed3df6a4…
https://git.kernel.org/stable/c/5aea2cde03d4247cd…
https://git.kernel.org/stable/c/f3f3a8eb3f0ba799f…
https://git.kernel.org/stable/c/32b415a9dc2c212e8…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < e58559845021c3bad5e094219378b869157fad53 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 54d458b244893e47bda52ec3943fdfbc8d7d068b (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < a3abb54c27b2c393c44362399777ad2f6e1ff17e (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af (git)
Linux	Linux	Affected: 4.3 Unaffected: 0 , < 4.3 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e58559845021c3bad5e094219378b869157fad53",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "54d458b244893e47bda52ec3943fdfbc8d7d068b",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "a3abb54c27b2c393c44362399777ad2f6e1ff17e",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "b5df9e06eed3df6a4f5c6f8453013b0cabb927b4",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE\n\nThis data originates from userspace and is used in buffer offset\ncalculations which could potentially overflow causing an out-of-bounds\naccess."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:46:14.324Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53"
        },
        {
          "url": "https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b"
        },
        {
          "url": "https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af"
        }
      ],
      "title": "drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40277",
    "datePublished": "2025-12-06T21:51:00.437Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2026-05-11T21:46:14.324Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40279 (GCVE-0-2025-40279)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-05-11 21:46

Title

net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/218b67c8c8246d47a…
https://git.kernel.org/stable/c/73cc56c608c209d3d…
https://git.kernel.org/stable/c/31e4aa93e2e5b5647…
https://git.kernel.org/stable/c/51cb05d4fd6325968…
https://git.kernel.org/stable/c/25837889ec062f2b7…
https://git.kernel.org/stable/c/62b656e43eaeae445…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 218b67c8c8246d47a2a7910eae80abe4861fe2b7 (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 73cc56c608c209d3d666cc571293b090a471da70 (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 31e4aa93e2e5b5647fc235b0f6ee329646878f9e (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 51cb05d4fd632596816ba44e882e84db9fb28a7e (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 25837889ec062f2b7618142cd80253dff3da5343 (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 62b656e43eaeae445a39cd8021a4f47065af4389 (git)
Linux	Linux	Affected: 4.0 Unaffected: 0 , < 4.0 (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_connmark.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "218b67c8c8246d47a2a7910eae80abe4861fe2b7",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "73cc56c608c209d3d666cc571293b090a471da70",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "31e4aa93e2e5b5647fc235b0f6ee329646878f9e",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "51cb05d4fd632596816ba44e882e84db9fb28a7e",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "25837889ec062f2b7618142cd80253dff3da5343",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "62b656e43eaeae445a39cd8021a4f47065af4389",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_connmark.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_connmark: initialize struct tc_ife to fix kernel leak\n\nIn tcf_connmark_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:46:16.602Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/218b67c8c8246d47a2a7910eae80abe4861fe2b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/73cc56c608c209d3d666cc571293b090a471da70"
        },
        {
          "url": "https://git.kernel.org/stable/c/31e4aa93e2e5b5647fc235b0f6ee329646878f9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/51cb05d4fd632596816ba44e882e84db9fb28a7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/25837889ec062f2b7618142cd80253dff3da5343"
        },
        {
          "url": "https://git.kernel.org/stable/c/62b656e43eaeae445a39cd8021a4f47065af4389"
        }
      ],
      "title": "net: sched: act_connmark: initialize struct tc_ife to fix kernel leak",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40279",
    "datePublished": "2025-12-06T21:51:03.010Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2026-05-11T21:46:16.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40280 (GCVE-0-2025-40280)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-05-23 16:01

Title

tipc: Fix use-after-free in tipc_mon_reinit_self().

Summary

In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/5f541300b02ef8b2a…
https://git.kernel.org/stable/c/b2e77c789c234e7fe…
https://git.kernel.org/stable/c/51b8f0ab888f8aa5d…
https://git.kernel.org/stable/c/499b5fa78d525c445…
https://git.kernel.org/stable/c/c92dbf85627b5c29e…
https://git.kernel.org/stable/c/f0104977fed25ebe0…
https://git.kernel.org/stable/c/fdf7c4c9af4f24632…
https://git.kernel.org/stable/c/0725e6afb55128be2…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 28845c28f842e9e55e75b2c116bff714bb039055 , < 5f541300b02ef8b2af34f6f7d41ce617f3571e88 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < b2e77c789c234e7fe49057d2ced8f32e2d2c7901 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 51b8f0ab888f8aa5dfac954918864eeda8c12c19 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 499b5fa78d525c4450ebb76db83207db71efea77 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < c92dbf85627b5c29e52d9c120a24e785801716df (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < f0104977fed25ebe001fd63dab2b6b7fefad3373 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < fdf7c4c9af4f246323ce854e84b6aec198d49f7e (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 0725e6afb55128be21a2ca36e9674f573ccec173 (git) Affected: 295c9b554f6dfcd2d368fae6e6fa22ee5b79c123 (git) Affected: 5.4.15 , < 5.4.302 (semver) Affected: 4.19.99 , < 4.20 (semver)
Linux	Linux	Affected: 5.5 Unaffected: 0 , < 5.5 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5f541300b02ef8b2af34f6f7d41ce617f3571e88",
              "status": "affected",
              "version": "28845c28f842e9e55e75b2c116bff714bb039055",
              "versionType": "git"
            },
            {
              "lessThan": "b2e77c789c234e7fe49057d2ced8f32e2d2c7901",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "51b8f0ab888f8aa5dfac954918864eeda8c12c19",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "499b5fa78d525c4450ebb76db83207db71efea77",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "c92dbf85627b5c29e52d9c120a24e785801716df",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "f0104977fed25ebe001fd63dab2b6b7fefad3373",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "fdf7c4c9af4f246323ce854e84b6aec198d49f7e",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "0725e6afb55128be21a2ca36e9674f573ccec173",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "295c9b554f6dfcd2d368fae6e6fa22ee5b79c123",
              "versionType": "git"
            },
            {
              "lessThan": "5.4.302",
              "status": "affected",
              "version": "5.4.15",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.99",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "5.4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.99",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_mon_reinit_self().\n\nsyzbot reported use-after-free of tipc_net(net)-\u003emonitors[]\nin tipc_mon_reinit_self(). [0]\n\nThe array is protected by RTNL, but tipc_mon_reinit_self()\niterates over it without RTNL.\n\ntipc_mon_reinit_self() is called from tipc_net_finalize(),\nwhich is always under RTNL except for tipc_net_finalize_work().\n\nLet\u0027s hold RTNL in tipc_net_finalize_work().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\nRead of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989\n\nCPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568\n kasan_check_byte include/linux/kasan.h:399 [inline]\n lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\n rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]\n rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]\n rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244\n rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243\n write_lock_bh include/linux/rwlock_rt.h:99 [inline]\n tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718\n tipc_net_finalize+0x115/0x190 net/tipc/net.c:140\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 6089:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657\n tipc_enable_bearer net/tipc/bearer.c:357 [inline]\n __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047\n __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]\n tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393\n tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]\n tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321\n genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:729\n ____sys_sendmsg+0x508/0x820 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:01:55.255Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901"
        },
        {
          "url": "https://git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19"
        },
        {
          "url": "https://git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77"
        },
        {
          "url": "https://git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173"
        }
      ],
      "title": "tipc: Fix use-after-free in tipc_mon_reinit_self().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40280",
    "datePublished": "2025-12-06T21:51:04.091Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2026-05-23T16:01:55.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40281 (GCVE-0-2025-40281)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-05-11 21:46

Title

sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/0e0413e3315199b23…
https://git.kernel.org/stable/c/834e65be429c0fa4f…
https://git.kernel.org/stable/c/abb086b9a95d0ed3b…
https://git.kernel.org/stable/c/d0d858652834dcf53…
https://git.kernel.org/stable/c/ed71f801249d2350c…
https://git.kernel.org/stable/c/1cfa4eac275cc4875…
https://git.kernel.org/stable/c/aaba523dd7b610652…
https://git.kernel.org/stable/c/1534ff77757e44bcc…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < 0e0413e3315199b23ff4aec295e256034cd0a6e4 (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < 834e65be429c0fa4f9bb5945064bd57f18ed2187 (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < d0d858652834dcf531342c82a0428170aa7c2675 (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < ed71f801249d2350c77a73dca2c03918a15a62fe (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < 1cfa4eac275cc4875755c1303d48a4ddfe507ca8 (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d (git) Affected: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b , < 1534ff77757e44bcc4b98d0196bc5c0052fce5fa (git)
Linux	Linux	Affected: 3.16 Unaffected: 0 , < 3.16 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/transport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0e0413e3315199b23ff4aec295e256034cd0a6e4",
              "status": "affected",
              "version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
              "versionType": "git"
            },
            {
              "lessThan": "834e65be429c0fa4f9bb5945064bd57f18ed2187",
              "status": "affected",
              "version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
              "versionType": "git"
            },
            {
              "lessThan": "abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a",
              "status": "affected",
              "version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
              "versionType": "git"
            },
            {
              "lessThan": "d0d858652834dcf531342c82a0428170aa7c2675",
              "status": "affected",
              "version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
              "versionType": "git"
            },
            {
              "lessThan": "ed71f801249d2350c77a73dca2c03918a15a62fe",
              "status": "affected",
              "version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
              "versionType": "git"
            },
            {
              "lessThan": "1cfa4eac275cc4875755c1303d48a4ddfe507ca8",
              "status": "affected",
              "version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
              "versionType": "git"
            },
            {
              "lessThan": "aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d",
              "status": "affected",
              "version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
              "versionType": "git"
            },
            {
              "lessThan": "1534ff77757e44bcc4b98d0196bc5c0052fce5fa",
              "status": "affected",
              "version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/transport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto\n\nsyzbot reported a possible shift-out-of-bounds [1]\n\nBlamed commit added rto_alpha_max and rto_beta_max set to 1000.\n\nIt is unclear if some sctp users are setting very large rto_alpha\nand/or rto_beta.\n\nIn order to prevent user regression, perform the test at run time.\n\nAlso add READ_ONCE() annotations as sysctl values can change under us.\n\n[1]\n\nUBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41\nshift exponent 64 is too large for 32-bit type \u0027unsigned int\u0027\nCPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:233 [inline]\n  __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494\n  sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509\n  sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502\n  sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338\n  sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]\n  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:46:18.993Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187"
        },
        {
          "url": "https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8"
        },
        {
          "url": "https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa"
        }
      ],
      "title": "sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40281",
    "datePublished": "2025-12-06T21:51:05.208Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2026-05-11T21:46:18.993Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-1082

Solutions

CVE-2023-53749 (GCVE-0-2023-53749)

CVE-2025-40268 (GCVE-0-2025-40268)

CVE-2025-40269 (GCVE-0-2025-40269)

CVE-2025-40272 (GCVE-0-2025-40272)

CVE-2025-40273 (GCVE-0-2025-40273)

CVE-2025-40275 (GCVE-0-2025-40275)

CVE-2025-40277 (GCVE-0-2025-40277)

CVE-2025-40279 (GCVE-0-2025-40279)

CVE-2025-40280 (GCVE-0-2025-40280)

CVE-2025-40281 (GCVE-0-2025-40281)

Tags

Sightings

Nomenclature