Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1140
Vulnerability from certfr_avis - Published: 2025-12-26 - Updated: 2025-12-26
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un contournement de la politique de sécurité et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | Public Cloud Module | Public Cloud Module 15-SP7 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.5 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5, SP5 LTSS et SP5 LTSS Extended Security | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP5 | ||
| SUSE | Public Cloud Module | Public Cloud Module 15-SP6 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.6 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Real Time 15 SP5 et SP5 LTSS | ||
| SUSE | SUSE Real Time Module | SUSE Real Time Module 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 15 SP5, ESPOS 15 SP5 et LTSS 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.5 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 11 SP4 et SP4 LTSS EXTREME CORE | ||
| SUSE | SUSE Real Time Module | SUSE Real Time Module 15-SP7 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Public Cloud Module 15-SP7",
"product": {
"name": "Public Cloud Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5, SP5 LTSS et SP5 LTSS Extended Security",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Public Cloud Module 15-SP6",
"product": {
"name": "Public Cloud Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5 et SP5 LTSS",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP6",
"product": {
"name": "SUSE Real Time Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP5, ESPOS 15 SP5 et LTSS 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 11 SP4 et SP4 LTSS EXTREME CORE",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP7",
"product": {
"name": "SUSE Real Time Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40064"
},
{
"name": "CVE-2025-40156",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40156"
},
{
"name": "CVE-2025-40055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40055"
},
{
"name": "CVE-2025-40048",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40048"
},
{
"name": "CVE-2025-40121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40121"
},
{
"name": "CVE-2025-40204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40204"
},
{
"name": "CVE-2025-40171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40171"
},
{
"name": "CVE-2022-50368",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50368"
},
{
"name": "CVE-2025-40139",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40139"
},
{
"name": "CVE-2025-39967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39967"
},
{
"name": "CVE-2025-40107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40107"
},
{
"name": "CVE-2025-40115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40115"
},
{
"name": "CVE-2025-40198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40198"
},
{
"name": "CVE-2025-40173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40173"
},
{
"name": "CVE-2025-39944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39944"
},
{
"name": "CVE-2025-40194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40194"
},
{
"name": "CVE-2025-38436",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38436"
},
{
"name": "CVE-2025-40001",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40001"
},
{
"name": "CVE-2023-53431",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53431"
},
{
"name": "CVE-2025-39859",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39859"
},
{
"name": "CVE-2025-40172",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40172"
},
{
"name": "CVE-2022-50494",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50494"
},
{
"name": "CVE-2025-40188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40188"
},
{
"name": "CVE-2025-40186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40186"
},
{
"name": "CVE-2025-40086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40086"
},
{
"name": "CVE-2025-40169",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40169"
},
{
"name": "CVE-2023-53369",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53369"
},
{
"name": "CVE-2023-53641",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53641"
},
{
"name": "CVE-2025-40070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40070"
},
{
"name": "CVE-2025-40047",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40047"
},
{
"name": "CVE-2025-40205",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40205"
},
{
"name": "CVE-2022-50253",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50253"
},
{
"name": "CVE-2025-40075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40075"
},
{
"name": "CVE-2025-40027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40027"
},
{
"name": "CVE-2022-50280",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50280"
},
{
"name": "CVE-2025-40206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40206"
},
{
"name": "CVE-2022-50578",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50578"
},
{
"name": "CVE-2025-39788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39788"
},
{
"name": "CVE-2022-50551",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50551"
},
{
"name": "CVE-2025-40109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40109"
},
{
"name": "CVE-2025-40038",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40038"
},
{
"name": "CVE-2025-39805",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39805"
},
{
"name": "CVE-2025-40176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40176"
},
{
"name": "CVE-2025-40183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40183"
},
{
"name": "CVE-2025-37916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37916"
},
{
"name": "CVE-2025-38359",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38359"
},
{
"name": "CVE-2025-40074",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40074"
},
{
"name": "CVE-2025-40116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40116"
},
{
"name": "CVE-2025-40127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40127"
},
{
"name": "CVE-2025-40168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40168"
},
{
"name": "CVE-2025-40120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40120"
},
{
"name": "CVE-2025-40185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40185"
},
{
"name": "CVE-2025-40098",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40098"
},
{
"name": "CVE-2025-40129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40129"
},
{
"name": "CVE-2025-40040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40040"
},
{
"name": "CVE-2025-40207",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40207"
},
{
"name": "CVE-2025-40118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40118"
},
{
"name": "CVE-2025-40157",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40157"
},
{
"name": "CVE-2025-40021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40021"
},
{
"name": "CVE-2025-40105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40105"
},
{
"name": "CVE-2025-40083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40083"
},
{
"name": "CVE-2025-40154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40154"
},
{
"name": "CVE-2022-50364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50364"
},
{
"name": "CVE-2025-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40149"
},
{
"name": "CVE-2025-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40164"
},
{
"name": "CVE-2023-53542",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53542"
},
{
"name": "CVE-2023-53229",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53229"
},
{
"name": "CVE-2025-40180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40180"
},
{
"name": "CVE-2025-40200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40200"
},
{
"name": "CVE-2025-40080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40080"
},
{
"name": "CVE-2025-40111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40111"
},
{
"name": "CVE-2025-40059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40059"
},
{
"name": "CVE-2023-53676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53676"
},
{
"name": "CVE-2022-50569",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50569"
},
{
"name": "CVE-2025-39822",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39822"
},
{
"name": "CVE-2025-40141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40141"
},
{
"name": "CVE-2025-40110",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40110"
},
{
"name": "CVE-2025-39980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39980"
},
{
"name": "CVE-2025-40030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40030"
},
{
"name": "CVE-2025-39819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39819"
},
{
"name": "CVE-2025-38360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38360"
},
{
"name": "CVE-2022-50545",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50545"
},
{
"name": "CVE-2025-40140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40140"
},
{
"name": "CVE-2025-21710",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21710"
},
{
"name": "CVE-2025-40159",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40159"
},
{
"name": "CVE-2023-53597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53597"
},
{
"name": "CVE-2024-53093",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53093"
},
{
"name": "CVE-2025-38361",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38361"
}
],
"initial_release_date": "2025-12-26T00:00:00",
"last_revision_date": "2025-12-26T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1140",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un contournement de la politique de s\u00e9curit\u00e9 et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2025-12-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4506-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254506-1"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4517-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254517-1"
},
{
"published_at": "2025-12-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4507-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254507-1"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4515-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254515-1"
},
{
"published_at": "2025-12-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4505-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254505-1"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4516-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254516-1"
},
{
"published_at": "2025-12-24",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4521-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254521-1"
}
]
}
CVE-2025-40109 (GCVE-0-2025-40109)
Vulnerability from cvelistv5 – Published: 2025-11-09 04:35 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
crypto: rng - Ensure set_ent is always present
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: rng - Ensure set_ent is always present
Ensure that set_ent is always set since only drbg provides it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 15d6f42da1bb527629d8e1067b1302d58dec9166
(git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < bd903c25b652c331831226cdf56c8179d18e43f4 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 17acbcd44fe8dc17dc1072375e76df2d52da6ac8 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < ab172f4f42626549b02bada05f09e3f2b0cc26ec (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < c5c703b50e91dd4748769f4c5ab50d9ad60be370 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < e247a7d138e514a40edda7c4d72c8bd49bb2cad3 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 915cb75983bc5e8b80f8a2f25a4af463f7b18c14 (git) Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < c0d36727bf39bb16ef0a67ed608e279535ebf0da (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15d6f42da1bb527629d8e1067b1302d58dec9166",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "bd903c25b652c331831226cdf56c8179d18e43f4",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "17acbcd44fe8dc17dc1072375e76df2d52da6ac8",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "ab172f4f42626549b02bada05f09e3f2b0cc26ec",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "c5c703b50e91dd4748769f4c5ab50d9ad60be370",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "e247a7d138e514a40edda7c4d72c8bd49bb2cad3",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "915cb75983bc5e8b80f8a2f25a4af463f7b18c14",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "c0d36727bf39bb16ef0a67ed608e279535ebf0da",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rng - Ensure set_ent is always present\n\nEnsure that set_ent is always set since only drbg provides it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:12.220Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15d6f42da1bb527629d8e1067b1302d58dec9166"
},
{
"url": "https://git.kernel.org/stable/c/bd903c25b652c331831226cdf56c8179d18e43f4"
},
{
"url": "https://git.kernel.org/stable/c/17acbcd44fe8dc17dc1072375e76df2d52da6ac8"
},
{
"url": "https://git.kernel.org/stable/c/ab172f4f42626549b02bada05f09e3f2b0cc26ec"
},
{
"url": "https://git.kernel.org/stable/c/c5c703b50e91dd4748769f4c5ab50d9ad60be370"
},
{
"url": "https://git.kernel.org/stable/c/e247a7d138e514a40edda7c4d72c8bd49bb2cad3"
},
{
"url": "https://git.kernel.org/stable/c/915cb75983bc5e8b80f8a2f25a4af463f7b18c14"
},
{
"url": "https://git.kernel.org/stable/c/c0d36727bf39bb16ef0a67ed608e279535ebf0da"
}
],
"title": "crypto: rng - Ensure set_ent is always present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40109",
"datePublished": "2025-11-09T04:35:59.979Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:12.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39819 (GCVE-0-2025-39819)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
fs/smb: Fix inconsistent refcnt update
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/smb: Fix inconsistent refcnt update
A possible inconsistent update of refcount was identified in `smb2_compound_op`.
Such inconsistent update could lead to possible resource leaks.
Why it is a possible bug:
1. In the comment section of the function, it clearly states that the
reference to `cfile` should be dropped after calling this function.
2. Every control flow path would check and drop the reference to
`cfile`, except the patched one.
3. Existing callers would not handle refcount update of `cfile` if
-ENOMEM is returned.
To fix the bug, an extra goto label "out" is added, to make sure that the
cleanup logic would always be respected. As the problem is caused by the
allocation failure of `vars`, the cleanup logic between label "finished"
and "out" can be safely ignored. According to the definition of function
`is_replayable_error`, the error code of "-ENOMEM" is not recoverable.
Therefore, the replay logic also gets ignored.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3fc11ff13fbc2749871d6ac2141685cf54699997
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4191ea1f0bb3e27d65c5dcde7bd00e709ec67141 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4735f5991f51468b85affb8366b7067248457a71 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cc82c6dff548f0066a51a6e577c7454e7d26a968 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:41.406Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fc11ff13fbc2749871d6ac2141685cf54699997",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4191ea1f0bb3e27d65c5dcde7bd00e709ec67141",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4735f5991f51468b85affb8366b7067248457a71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cc82c6dff548f0066a51a6e577c7454e7d26a968",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/smb: Fix inconsistent refcnt update\n\nA possible inconsistent update of refcount was identified in `smb2_compound_op`.\nSuch inconsistent update could lead to possible resource leaks.\n\nWhy it is a possible bug:\n1. In the comment section of the function, it clearly states that the\nreference to `cfile` should be dropped after calling this function.\n2. Every control flow path would check and drop the reference to\n`cfile`, except the patched one.\n3. Existing callers would not handle refcount update of `cfile` if\n-ENOMEM is returned.\n\nTo fix the bug, an extra goto label \"out\" is added, to make sure that the\ncleanup logic would always be respected. As the problem is caused by the\nallocation failure of `vars`, the cleanup logic between label \"finished\"\nand \"out\" can be safely ignored. According to the definition of function\n`is_replayable_error`, the error code of \"-ENOMEM\" is not recoverable.\nTherefore, the replay logic also gets ignored."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:18.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fc11ff13fbc2749871d6ac2141685cf54699997"
},
{
"url": "https://git.kernel.org/stable/c/4191ea1f0bb3e27d65c5dcde7bd00e709ec67141"
},
{
"url": "https://git.kernel.org/stable/c/4735f5991f51468b85affb8366b7067248457a71"
},
{
"url": "https://git.kernel.org/stable/c/cc82c6dff548f0066a51a6e577c7454e7d26a968"
},
{
"url": "https://git.kernel.org/stable/c/ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e"
}
],
"title": "fs/smb: Fix inconsistent refcnt update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39819",
"datePublished": "2025-09-16T13:00:19.320Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-11-03T17:43:41.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40107 (GCVE-0-2025-40107)
Vulnerability from cvelistv5 – Published: 2025-11-03 12:15 – Updated: 2025-11-03 12:15
VLAI?
EPSS
Title
can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled
This issue is similar to the vulnerability in the `mcp251x` driver,
which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume from
sleep before interface was brought up").
In the `hi311x` driver, when the device resumes from sleep, the driver
schedules `priv->restart_work`. However, if the network interface was
not previously enabled, the `priv->wq` (workqueue) is not allocated and
initialized, leading to a null pointer dereference.
To fix this, we move the allocation and initialization of the workqueue
from the `hi3110_open` function to the `hi3110_can_probe` function.
This ensures that the workqueue is properly initialized before it is
used during device resume. And added logic to destroy the workqueue
in the error handling paths of `hi3110_can_probe` and in the
`hi3110_can_remove` function to prevent resource leaks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d1fc4c041459e2d4856c1b2501486ba4f0cbf96b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e93af787187e585933570563c643337fa731584a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1d2ef21f02baff0c109ad78b9e835fb4acb14533 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd00cf38fd437c979f0e5905e3ebdfc3f55a4b96 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6b696808472197b77b888f50bc789a3bae077743 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1fc4c041459e2d4856c1b2501486ba4f0cbf96b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e93af787187e585933570563c643337fa731584a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1d2ef21f02baff0c109ad78b9e835fb4acb14533",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd00cf38fd437c979f0e5905e3ebdfc3f55a4b96",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6b696808472197b77b888f50bc789a3bae077743",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled\n\nThis issue is similar to the vulnerability in the `mcp251x` driver,\nwhich was fixed in commit 03c427147b2d (\"can: mcp251x: fix resume from\nsleep before interface was brought up\").\n\nIn the `hi311x` driver, when the device resumes from sleep, the driver\nschedules `priv-\u003erestart_work`. However, if the network interface was\nnot previously enabled, the `priv-\u003ewq` (workqueue) is not allocated and\ninitialized, leading to a null pointer dereference.\n\nTo fix this, we move the allocation and initialization of the workqueue\nfrom the `hi3110_open` function to the `hi3110_can_probe` function.\nThis ensures that the workqueue is properly initialized before it is\nused during device resume. And added logic to destroy the workqueue\nin the error handling paths of `hi3110_can_probe` and in the\n`hi3110_can_remove` function to prevent resource leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T12:15:12.587Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1fc4c041459e2d4856c1b2501486ba4f0cbf96b"
},
{
"url": "https://git.kernel.org/stable/c/e93af787187e585933570563c643337fa731584a"
},
{
"url": "https://git.kernel.org/stable/c/1d2ef21f02baff0c109ad78b9e835fb4acb14533"
},
{
"url": "https://git.kernel.org/stable/c/fd00cf38fd437c979f0e5905e3ebdfc3f55a4b96"
},
{
"url": "https://git.kernel.org/stable/c/6b696808472197b77b888f50bc789a3bae077743"
}
],
"title": "can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40107",
"datePublished": "2025-11-03T12:15:12.587Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-11-03T12:15:12.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40157 (GCVE-0-2025-40157)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller
Summary
In the Linux kernel, the following vulnerability has been resolved:
EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller
When loading the i10nm_edac driver on some Intel Granite Rapids servers,
a call trace may appear as follows:
UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:453:16
shift exponent -66 is negative
...
__ubsan_handle_shift_out_of_bounds+0x1e3/0x390
skx_get_dimm_info.cold+0x47/0xd40 [skx_edac_common]
i10nm_get_dimm_config+0x23e/0x390 [i10nm_edac]
skx_register_mci+0x159/0x220 [skx_edac_common]
i10nm_init+0xcb0/0x1ff0 [i10nm_edac]
...
This occurs because some BIOS may disable a memory controller if there
aren't any memory DIMMs populated on this memory controller. The DIMMMTR
register of this disabled memory controller contains the invalid value
~0, resulting in the call trace above.
Fix this call trace by skipping DIMM enumeration on a disabled memory
controller.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ba987eaaabf99b462cdfed86274e3455d5126349 , < 8100b6c0f9089d5b156642b81270ce27fff17490
(git)
Affected: ba987eaaabf99b462cdfed86274e3455d5126349 , < 1652f14cf3bef5a4baa232de954fc22bdcaa78fe (git) Affected: ba987eaaabf99b462cdfed86274e3455d5126349 , < c20da24272f1ac79e9f9083bba577d049cd02bbb (git) Affected: ba987eaaabf99b462cdfed86274e3455d5126349 , < 2e6fe1bbefd9c059c3787d1c620fe67343a94dff (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/edac/i10nm_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8100b6c0f9089d5b156642b81270ce27fff17490",
"status": "affected",
"version": "ba987eaaabf99b462cdfed86274e3455d5126349",
"versionType": "git"
},
{
"lessThan": "1652f14cf3bef5a4baa232de954fc22bdcaa78fe",
"status": "affected",
"version": "ba987eaaabf99b462cdfed86274e3455d5126349",
"versionType": "git"
},
{
"lessThan": "c20da24272f1ac79e9f9083bba577d049cd02bbb",
"status": "affected",
"version": "ba987eaaabf99b462cdfed86274e3455d5126349",
"versionType": "git"
},
{
"lessThan": "2e6fe1bbefd9c059c3787d1c620fe67343a94dff",
"status": "affected",
"version": "ba987eaaabf99b462cdfed86274e3455d5126349",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/edac/i10nm_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/i10nm: Skip DIMM enumeration on a disabled memory controller\n\nWhen loading the i10nm_edac driver on some Intel Granite Rapids servers,\na call trace may appear as follows:\n\n UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:453:16\n shift exponent -66 is negative\n ...\n __ubsan_handle_shift_out_of_bounds+0x1e3/0x390\n skx_get_dimm_info.cold+0x47/0xd40 [skx_edac_common]\n i10nm_get_dimm_config+0x23e/0x390 [i10nm_edac]\n skx_register_mci+0x159/0x220 [skx_edac_common]\n i10nm_init+0xcb0/0x1ff0 [i10nm_edac]\n ...\n\nThis occurs because some BIOS may disable a memory controller if there\naren\u0027t any memory DIMMs populated on this memory controller. The DIMMMTR\nregister of this disabled memory controller contains the invalid value\n~0, resulting in the call trace above.\n\nFix this call trace by skipping DIMM enumeration on a disabled memory\ncontroller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:08.224Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8100b6c0f9089d5b156642b81270ce27fff17490"
},
{
"url": "https://git.kernel.org/stable/c/1652f14cf3bef5a4baa232de954fc22bdcaa78fe"
},
{
"url": "https://git.kernel.org/stable/c/c20da24272f1ac79e9f9083bba577d049cd02bbb"
},
{
"url": "https://git.kernel.org/stable/c/2e6fe1bbefd9c059c3787d1c620fe67343a94dff"
}
],
"title": "EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40157",
"datePublished": "2025-11-12T10:23:29.258Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:08.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39980 (GCVE-0-2025-39980)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
nexthop: Forbid FDB status change while nexthop is in a group
Summary
In the Linux kernel, the following vulnerability has been resolved:
nexthop: Forbid FDB status change while nexthop is in a group
The kernel forbids the creation of non-FDB nexthop groups with FDB
nexthops:
# ip nexthop add id 1 via 192.0.2.1 fdb
# ip nexthop add id 2 group 1
Error: Non FDB nexthop group cannot have fdb nexthops.
And vice versa:
# ip nexthop add id 3 via 192.0.2.2 dev dummy1
# ip nexthop add id 4 group 3 fdb
Error: FDB nexthop group can only have fdb nexthops.
However, as long as no routes are pointing to a non-FDB nexthop group,
the kernel allows changing the type of a nexthop from FDB to non-FDB and
vice versa:
# ip nexthop add id 5 via 192.0.2.2 dev dummy1
# ip nexthop add id 6 group 5
# ip nexthop replace id 5 via 192.0.2.2 fdb
# echo $?
0
This configuration is invalid and can result in a NPD [1] since FDB
nexthops are not associated with a nexthop device:
# ip route add 198.51.100.1/32 nhid 6
# ping 198.51.100.1
Fix by preventing nexthop FDB status change while the nexthop is in a
group:
# ip nexthop add id 7 via 192.0.2.2 dev dummy1
# ip nexthop add id 8 group 7
# ip nexthop replace id 7 via 192.0.2.2 fdb
Error: Cannot change nexthop FDB status while in a group.
[1]
BUG: kernel NULL pointer dereference, address: 00000000000003c0
[...]
Oops: Oops: 0000 [#1] SMP
CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:fib_lookup_good_nhc+0x1e/0x80
[...]
Call Trace:
<TASK>
fib_table_lookup+0x541/0x650
ip_route_output_key_hash_rcu+0x2ea/0x970
ip_route_output_key_hash+0x55/0x80
__ip4_datagram_connect+0x250/0x330
udp_connect+0x2b/0x60
__sys_connect+0x9c/0xd0
__x64_sys_connect+0x18/0x20
do_syscall_64+0xa4/0x2a0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
38428d68719c454d269cb03b776d8a4b0ad66111 , < e1e87ac0daacd51f522ecd1645cd76b5809303ed
(git)
Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < 0e7bfe7a268ccbd7859730c529161cafbf44637c (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < ec428fff792b7bd15b248dafca2e654b666b1304 (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < 24046d31f6f92220852d393d510b6062843e3fbd (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < f0e49fd13afe9dea7a09a1c9537fd00cea22badb (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < 8dd4aa0122885f710930de135af2adc4ccc3238f (git) Affected: 38428d68719c454d269cb03b776d8a4b0ad66111 , < 390b3a300d7872cef9588f003b204398be69ce08 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/nexthop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1e87ac0daacd51f522ecd1645cd76b5809303ed",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "0e7bfe7a268ccbd7859730c529161cafbf44637c",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "ec428fff792b7bd15b248dafca2e654b666b1304",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "24046d31f6f92220852d393d510b6062843e3fbd",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "f0e49fd13afe9dea7a09a1c9537fd00cea22badb",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "8dd4aa0122885f710930de135af2adc4ccc3238f",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "390b3a300d7872cef9588f003b204398be69ce08",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/nexthop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Forbid FDB status change while nexthop is in a group\n\nThe kernel forbids the creation of non-FDB nexthop groups with FDB\nnexthops:\n\n # ip nexthop add id 1 via 192.0.2.1 fdb\n # ip nexthop add id 2 group 1\n Error: Non FDB nexthop group cannot have fdb nexthops.\n\nAnd vice versa:\n\n # ip nexthop add id 3 via 192.0.2.2 dev dummy1\n # ip nexthop add id 4 group 3 fdb\n Error: FDB nexthop group can only have fdb nexthops.\n\nHowever, as long as no routes are pointing to a non-FDB nexthop group,\nthe kernel allows changing the type of a nexthop from FDB to non-FDB and\nvice versa:\n\n # ip nexthop add id 5 via 192.0.2.2 dev dummy1\n # ip nexthop add id 6 group 5\n # ip nexthop replace id 5 via 192.0.2.2 fdb\n # echo $?\n 0\n\nThis configuration is invalid and can result in a NPD [1] since FDB\nnexthops are not associated with a nexthop device:\n\n # ip route add 198.51.100.1/32 nhid 6\n # ping 198.51.100.1\n\nFix by preventing nexthop FDB status change while the nexthop is in a\ngroup:\n\n # ip nexthop add id 7 via 192.0.2.2 dev dummy1\n # ip nexthop add id 8 group 7\n # ip nexthop replace id 7 via 192.0.2.2 fdb\n Error: Cannot change nexthop FDB status while in a group.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\n[...]\nOops: Oops: 0000 [#1] SMP\nCPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:fib_lookup_good_nhc+0x1e/0x80\n[...]\nCall Trace:\n \u003cTASK\u003e\n fib_table_lookup+0x541/0x650\n ip_route_output_key_hash_rcu+0x2ea/0x970\n ip_route_output_key_hash+0x55/0x80\n __ip4_datagram_connect+0x250/0x330\n udp_connect+0x2b/0x60\n __sys_connect+0x9c/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0xa4/0x2a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:00.275Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1e87ac0daacd51f522ecd1645cd76b5809303ed"
},
{
"url": "https://git.kernel.org/stable/c/0e7bfe7a268ccbd7859730c529161cafbf44637c"
},
{
"url": "https://git.kernel.org/stable/c/ec428fff792b7bd15b248dafca2e654b666b1304"
},
{
"url": "https://git.kernel.org/stable/c/24046d31f6f92220852d393d510b6062843e3fbd"
},
{
"url": "https://git.kernel.org/stable/c/f0e49fd13afe9dea7a09a1c9537fd00cea22badb"
},
{
"url": "https://git.kernel.org/stable/c/8dd4aa0122885f710930de135af2adc4ccc3238f"
},
{
"url": "https://git.kernel.org/stable/c/390b3a300d7872cef9588f003b204398be69ce08"
}
],
"title": "nexthop: Forbid FDB status change while nexthop is in a group",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39980",
"datePublished": "2025-10-15T07:56:00.275Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:00.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50280 (GCVE-0-2022-50280)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2025-09-15 14:21
VLAI?
EPSS
Title
pnode: terminate at peers of source
Summary
In the Linux kernel, the following vulnerability has been resolved:
pnode: terminate at peers of source
The propagate_mnt() function handles mount propagation when creating
mounts and propagates the source mount tree @source_mnt to all
applicable nodes of the destination propagation mount tree headed by
@dest_mnt.
Unfortunately it contains a bug where it fails to terminate at peers of
@source_mnt when looking up copies of the source mount that become
masters for copies of the source mount tree mounted on top of slaves in
the destination propagation tree causing a NULL dereference.
Once the mechanics of the bug are understood it's easy to trigger.
Because of unprivileged user namespaces it is available to unprivileged
users.
While fixing this bug we've gotten confused multiple times due to
unclear terminology or missing concepts. So let's start this with some
clarifications:
* The terms "master" or "peer" denote a shared mount. A shared mount
belongs to a peer group.
* A peer group is a set of shared mounts that propagate to each other.
They are identified by a peer group id. The peer group id is available
in @shared_mnt->mnt_group_id.
Shared mounts within the same peer group have the same peer group id.
The peers in a peer group can be reached via @shared_mnt->mnt_share.
* The terms "slave mount" or "dependent mount" denote a mount that
receives propagation from a peer in a peer group. IOW, shared mounts
may have slave mounts and slave mounts have shared mounts as their
master. Slave mounts of a given peer in a peer group are listed on
that peers slave list available at @shared_mnt->mnt_slave_list.
* The term "master mount" denotes a mount in a peer group. IOW, it
denotes a shared mount or a peer mount in a peer group. The term
"master mount" - or "master" for short - is mostly used when talking
in the context of slave mounts that receive propagation from a master
mount. A master mount of a slave identifies the closest peer group a
slave mount receives propagation from. The master mount of a slave can
be identified via @slave_mount->mnt_master. Different slaves may point
to different masters in the same peer group.
* Multiple peers in a peer group can have non-empty ->mnt_slave_lists.
Non-empty ->mnt_slave_lists of peers don't intersect. Consequently, to
ensure all slave mounts of a peer group are visited the
->mnt_slave_lists of all peers in a peer group have to be walked.
* Slave mounts point to a peer in the closest peer group they receive
propagation from via @slave_mnt->mnt_master (see above). Together with
these peers they form a propagation group (see below). The closest
peer group can thus be identified through the peer group id
@slave_mnt->mnt_master->mnt_group_id of the peer/master that a slave
mount receives propagation from.
* A shared-slave mount is a slave mount to a peer group pg1 while also
a peer in another peer group pg2. IOW, a peer group may receive
propagation from another peer group.
If a peer group pg1 is a slave to another peer group pg2 then all
peers in peer group pg1 point to the same peer in peer group pg2 via
->mnt_master. IOW, all peers in peer group pg1 appear on the same
->mnt_slave_list. IOW, they cannot be slaves to different peer groups.
* A pure slave mount is a slave mount that is a slave to a peer group
but is not a peer in another peer group.
* A propagation group denotes the set of mounts consisting of a single
peer group pg1 and all slave mounts and shared-slave mounts that point
to a peer in that peer group via ->mnt_master. IOW, all slave mounts
such that @slave_mnt->mnt_master->mnt_group_id is equal to
@shared_mnt->mnt_group_id.
The concept of a propagation group makes it easier to talk about a
single propagation level in a propagation tree.
For example, in propagate_mnt() the immediate peers of @dest_mnt and
all slaves of @dest_mnt's peer group form a propagation group pr
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < cad0d17fb2b0540180ab59e2cd48ad348cc1ee4c
(git)
Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < cc997490be65da0af8c75a6244fc80bb66c53ce0 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < 7f57df69de7f05302fad584eb8e3f34de39e0311 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < 2dae4211b579ce98985876a73a78466e285238ff (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < b591b2919d018ef91b4a9571edca94105bcad3df (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < c24cc476acd8bccb5af54849aac5e779d8223bf5 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < e7c9f10c44a8919cd8bbd51b228c84d0caf7d518 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < 784a4f995ee24460aa72e00b085612fad57ebce5 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < 11933cf1d91d57da9e5c53822a540bbdc2656c16 (git) Affected: fc7b1646bf29f722277bdd19551e01420ce9da8f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cad0d17fb2b0540180ab59e2cd48ad348cc1ee4c",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "cc997490be65da0af8c75a6244fc80bb66c53ce0",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "7f57df69de7f05302fad584eb8e3f34de39e0311",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "2dae4211b579ce98985876a73a78466e285238ff",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "b591b2919d018ef91b4a9571edca94105bcad3df",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "c24cc476acd8bccb5af54849aac5e779d8223bf5",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "e7c9f10c44a8919cd8bbd51b228c84d0caf7d518",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "784a4f995ee24460aa72e00b085612fad57ebce5",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "11933cf1d91d57da9e5c53822a540bbdc2656c16",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"status": "affected",
"version": "fc7b1646bf29f722277bdd19551e01420ce9da8f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npnode: terminate at peers of source\n\nThe propagate_mnt() function handles mount propagation when creating\nmounts and propagates the source mount tree @source_mnt to all\napplicable nodes of the destination propagation mount tree headed by\n@dest_mnt.\n\nUnfortunately it contains a bug where it fails to terminate at peers of\n@source_mnt when looking up copies of the source mount that become\nmasters for copies of the source mount tree mounted on top of slaves in\nthe destination propagation tree causing a NULL dereference.\n\nOnce the mechanics of the bug are understood it\u0027s easy to trigger.\nBecause of unprivileged user namespaces it is available to unprivileged\nusers.\n\nWhile fixing this bug we\u0027ve gotten confused multiple times due to\nunclear terminology or missing concepts. So let\u0027s start this with some\nclarifications:\n\n* The terms \"master\" or \"peer\" denote a shared mount. A shared mount\n belongs to a peer group.\n\n* A peer group is a set of shared mounts that propagate to each other.\n They are identified by a peer group id. The peer group id is available\n in @shared_mnt-\u003emnt_group_id.\n Shared mounts within the same peer group have the same peer group id.\n The peers in a peer group can be reached via @shared_mnt-\u003emnt_share.\n\n* The terms \"slave mount\" or \"dependent mount\" denote a mount that\n receives propagation from a peer in a peer group. IOW, shared mounts\n may have slave mounts and slave mounts have shared mounts as their\n master. Slave mounts of a given peer in a peer group are listed on\n that peers slave list available at @shared_mnt-\u003emnt_slave_list.\n\n* The term \"master mount\" denotes a mount in a peer group. IOW, it\n denotes a shared mount or a peer mount in a peer group. The term\n \"master mount\" - or \"master\" for short - is mostly used when talking\n in the context of slave mounts that receive propagation from a master\n mount. A master mount of a slave identifies the closest peer group a\n slave mount receives propagation from. The master mount of a slave can\n be identified via @slave_mount-\u003emnt_master. Different slaves may point\n to different masters in the same peer group.\n\n* Multiple peers in a peer group can have non-empty -\u003emnt_slave_lists.\n Non-empty -\u003emnt_slave_lists of peers don\u0027t intersect. Consequently, to\n ensure all slave mounts of a peer group are visited the\n -\u003emnt_slave_lists of all peers in a peer group have to be walked.\n\n* Slave mounts point to a peer in the closest peer group they receive\n propagation from via @slave_mnt-\u003emnt_master (see above). Together with\n these peers they form a propagation group (see below). The closest\n peer group can thus be identified through the peer group id\n @slave_mnt-\u003emnt_master-\u003emnt_group_id of the peer/master that a slave\n mount receives propagation from.\n\n* A shared-slave mount is a slave mount to a peer group pg1 while also\n a peer in another peer group pg2. IOW, a peer group may receive\n propagation from another peer group.\n\n If a peer group pg1 is a slave to another peer group pg2 then all\n peers in peer group pg1 point to the same peer in peer group pg2 via\n -\u003emnt_master. IOW, all peers in peer group pg1 appear on the same\n -\u003emnt_slave_list. IOW, they cannot be slaves to different peer groups.\n\n* A pure slave mount is a slave mount that is a slave to a peer group\n but is not a peer in another peer group.\n\n* A propagation group denotes the set of mounts consisting of a single\n peer group pg1 and all slave mounts and shared-slave mounts that point\n to a peer in that peer group via -\u003emnt_master. IOW, all slave mounts\n such that @slave_mnt-\u003emnt_master-\u003emnt_group_id is equal to\n @shared_mnt-\u003emnt_group_id.\n\n The concept of a propagation group makes it easier to talk about a\n single propagation level in a propagation tree.\n\n For example, in propagate_mnt() the immediate peers of @dest_mnt and\n all slaves of @dest_mnt\u0027s peer group form a propagation group pr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:16.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cad0d17fb2b0540180ab59e2cd48ad348cc1ee4c"
},
{
"url": "https://git.kernel.org/stable/c/cc997490be65da0af8c75a6244fc80bb66c53ce0"
},
{
"url": "https://git.kernel.org/stable/c/7f57df69de7f05302fad584eb8e3f34de39e0311"
},
{
"url": "https://git.kernel.org/stable/c/2dae4211b579ce98985876a73a78466e285238ff"
},
{
"url": "https://git.kernel.org/stable/c/b591b2919d018ef91b4a9571edca94105bcad3df"
},
{
"url": "https://git.kernel.org/stable/c/c24cc476acd8bccb5af54849aac5e779d8223bf5"
},
{
"url": "https://git.kernel.org/stable/c/e7c9f10c44a8919cd8bbd51b228c84d0caf7d518"
},
{
"url": "https://git.kernel.org/stable/c/784a4f995ee24460aa72e00b085612fad57ebce5"
},
{
"url": "https://git.kernel.org/stable/c/11933cf1d91d57da9e5c53822a540bbdc2656c16"
}
],
"title": "pnode: terminate at peers of source",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50280",
"datePublished": "2025-09-15T14:21:16.891Z",
"dateReserved": "2025-09-15T13:58:00.976Z",
"dateUpdated": "2025-09-15T14:21:16.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40070 (GCVE-0-2025-40070)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
pps: fix warning in pps_register_cdev when register device fail
Summary
In the Linux kernel, the following vulnerability has been resolved:
pps: fix warning in pps_register_cdev when register device fail
Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error
handling in __video_register_device()"), the release hook should be set
before device_register(). Otherwise, when device_register() return error
and put_device() try to callback the release function, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567
Modules linked in:
CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE
RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567
Call Trace:
<TASK>
kobject_cleanup+0x136/0x410 lib/kobject.c:689
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe9/0x130 lib/kobject.c:737
put_device+0x24/0x30 drivers/base/core.c:3797
pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402
pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108
pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57
tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432
tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563
tiocsetd drivers/tty/tty_io.c:2429 [inline]
tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),
pps_register_cdev() call device_create() to create pps->dev, which will
init dev->release to device_create_release(). Now the comment is outdated,
just remove it.
Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed
in pps_register_source() to avoid a double free in the failure case.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
785c78ed0d39d1717cca3ef931d3e51337b5e90e , < 38c7bb10aae5118dd48fa7a82f7bf93839bcc320
(git)
Affected: 1a7735ab2cb9747518a7416fb5929e85442dec62 , < 2a194707ca27a3b0523023fa8b446e5ec922dc51 (git) Affected: c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7 , < 125527db41805693208ee1aacd7f3ffe6a3a489c (git) Affected: 91932db1d96b2952299ce30c1c693d834d10ace6 , < 4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8 (git) Affected: cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64 , < cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e (git) Affected: 7e5ee3281dc09014367f5112b6d566ba36ea2d49 , < f01fa3588e0b3cb1540f56d2c6bd99e5b3810234 (git) Affected: c79a39dc8d060b9e64e8b0fa9d245d44befeefbe , < 0f97564a1fb62f34b3b498e2f12caffbe99c004a (git) Affected: c79a39dc8d060b9e64e8b0fa9d245d44befeefbe , < b0531cdba5029f897da5156815e3bdafe1e9b88d (git) Affected: 85241f7de216f8298f6e48540ea13d7dcd100870 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38c7bb10aae5118dd48fa7a82f7bf93839bcc320",
"status": "affected",
"version": "785c78ed0d39d1717cca3ef931d3e51337b5e90e",
"versionType": "git"
},
{
"lessThan": "2a194707ca27a3b0523023fa8b446e5ec922dc51",
"status": "affected",
"version": "1a7735ab2cb9747518a7416fb5929e85442dec62",
"versionType": "git"
},
{
"lessThan": "125527db41805693208ee1aacd7f3ffe6a3a489c",
"status": "affected",
"version": "c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7",
"versionType": "git"
},
{
"lessThan": "4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8",
"status": "affected",
"version": "91932db1d96b2952299ce30c1c693d834d10ace6",
"versionType": "git"
},
{
"lessThan": "cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e",
"status": "affected",
"version": "cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64",
"versionType": "git"
},
{
"lessThan": "f01fa3588e0b3cb1540f56d2c6bd99e5b3810234",
"status": "affected",
"version": "7e5ee3281dc09014367f5112b6d566ba36ea2d49",
"versionType": "git"
},
{
"lessThan": "0f97564a1fb62f34b3b498e2f12caffbe99c004a",
"status": "affected",
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"versionType": "git"
},
{
"lessThan": "b0531cdba5029f897da5156815e3bdafe1e9b88d",
"status": "affected",
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"versionType": "git"
},
{
"status": "affected",
"version": "85241f7de216f8298f6e48540ea13d7dcd100870",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: fix warning in pps_register_cdev when register device fail\n\nSimilar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error\nhandling in __video_register_device()\"), the release hook should be set\nbefore device_register(). Otherwise, when device_register() return error\nand put_device() try to callback the release function, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567\n Modules linked in:\n CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE\n RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567\n Call Trace:\n \u003cTASK\u003e\n kobject_cleanup+0x136/0x410 lib/kobject.c:689\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0xe9/0x130 lib/kobject.c:737\n put_device+0x24/0x30 drivers/base/core.c:3797\n pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402\n pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108\n pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57\n tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432\n tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563\n tiocsetd drivers/tty/tty_io.c:2429 [inline]\n tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nBefore commit c79a39dc8d06 (\"pps: Fix a use-after-free\"),\npps_register_cdev() call device_create() to create pps-\u003edev, which will\ninit dev-\u003erelease to device_create_release(). Now the comment is outdated,\njust remove it.\n\nThanks for the reminder from Calvin Owens, \u0027kfree_pps\u0027 should be removed\nin pps_register_source() to avoid a double free in the failure case."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:24.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38c7bb10aae5118dd48fa7a82f7bf93839bcc320"
},
{
"url": "https://git.kernel.org/stable/c/2a194707ca27a3b0523023fa8b446e5ec922dc51"
},
{
"url": "https://git.kernel.org/stable/c/125527db41805693208ee1aacd7f3ffe6a3a489c"
},
{
"url": "https://git.kernel.org/stable/c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8"
},
{
"url": "https://git.kernel.org/stable/c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e"
},
{
"url": "https://git.kernel.org/stable/c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234"
},
{
"url": "https://git.kernel.org/stable/c/0f97564a1fb62f34b3b498e2f12caffbe99c004a"
},
{
"url": "https://git.kernel.org/stable/c/b0531cdba5029f897da5156815e3bdafe1e9b88d"
}
],
"title": "pps: fix warning in pps_register_cdev when register device fail",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40070",
"datePublished": "2025-10-28T11:48:38.838Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:24.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53542 (GCVE-0-2023-53542)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:16 – Updated: 2025-10-04 15:16
VLAI?
EPSS
Title
ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
For some reason, the driver adding support for Exynos5420 MIPI phy
back in 2016 wasn't used on Exynos5420, which caused a kernel panic.
Add the proper compatible for it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c075aa3467a799855a92289a3c619afc0a2ad193
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 537bdfc1a67836fbd68bbe4210bc380f72cca47f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f10001af0f7246cf3e43530d25f8d59a8db10df6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 199624f3144d79fab1cff533ce6a4b82390520a3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2e68a0f7bc576318a58335c31c542b358bc63f83 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2a6198f5ed7d6e4e06d87a4de007f2e45cc9583 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 29961ee63dd676cc67f7c00f76faa21e11f0d7c6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5d5aa219a790d61cad2c38e1aa32058f16ad2f0b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/boot/dts/exynos5420.dtsi"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c075aa3467a799855a92289a3c619afc0a2ad193",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "537bdfc1a67836fbd68bbe4210bc380f72cca47f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f10001af0f7246cf3e43530d25f8d59a8db10df6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "199624f3144d79fab1cff533ce6a4b82390520a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e68a0f7bc576318a58335c31c542b358bc63f83",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2a6198f5ed7d6e4e06d87a4de007f2e45cc9583",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29961ee63dd676cc67f7c00f76faa21e11f0d7c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5d5aa219a790d61cad2c38e1aa32058f16ad2f0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/boot/dts/exynos5420.dtsi"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy\n\nFor some reason, the driver adding support for Exynos5420 MIPI phy\nback in 2016 wasn\u0027t used on Exynos5420, which caused a kernel panic.\nAdd the proper compatible for it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:51.440Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c075aa3467a799855a92289a3c619afc0a2ad193"
},
{
"url": "https://git.kernel.org/stable/c/537bdfc1a67836fbd68bbe4210bc380f72cca47f"
},
{
"url": "https://git.kernel.org/stable/c/f10001af0f7246cf3e43530d25f8d59a8db10df6"
},
{
"url": "https://git.kernel.org/stable/c/199624f3144d79fab1cff533ce6a4b82390520a3"
},
{
"url": "https://git.kernel.org/stable/c/2e68a0f7bc576318a58335c31c542b358bc63f83"
},
{
"url": "https://git.kernel.org/stable/c/f2a6198f5ed7d6e4e06d87a4de007f2e45cc9583"
},
{
"url": "https://git.kernel.org/stable/c/29961ee63dd676cc67f7c00f76faa21e11f0d7c6"
},
{
"url": "https://git.kernel.org/stable/c/5d5aa219a790d61cad2c38e1aa32058f16ad2f0b"
}
],
"title": "ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53542",
"datePublished": "2025-10-04T15:16:51.440Z",
"dateReserved": "2025-10-04T15:14:15.920Z",
"dateUpdated": "2025-10-04T15:16:51.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40129 (GCVE-0-2025-40129)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
sunrpc: fix null pointer dereference on zero-length checksum
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix null pointer dereference on zero-length checksum
In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes
checksum.data to be set to NULL. This triggers a NPD when accessing
checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that
the value of checksum.len is not less than XDR_UNIT.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0653028e8f1c97fec30710813a001ad8a2ec34f4 , < 81cec07d303186d0d8c623ef8b5ecd3b81e94cf6
(git)
Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < affc03d44921f493deaae1d33151e3067a6f9f8f (git) Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < ab9a70cd2386a0d70c164b0905dd66bc9af52e77 (git) Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < 6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81cec07d303186d0d8c623ef8b5ecd3b81e94cf6",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "affc03d44921f493deaae1d33151e3067a6f9f8f",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "ab9a70cd2386a0d70c164b0905dd66bc9af52e77",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix null pointer dereference on zero-length checksum\n\nIn xdr_stream_decode_opaque_auth(), zero-length checksum.len causes\nchecksum.data to be set to NULL. This triggers a NPD when accessing\nchecksum.data in gss_krb5_verify_mic_v2(). This patch ensures that\nthe value of checksum.len is not less than XDR_UNIT."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:34.691Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81cec07d303186d0d8c623ef8b5ecd3b81e94cf6"
},
{
"url": "https://git.kernel.org/stable/c/affc03d44921f493deaae1d33151e3067a6f9f8f"
},
{
"url": "https://git.kernel.org/stable/c/ab9a70cd2386a0d70c164b0905dd66bc9af52e77"
},
{
"url": "https://git.kernel.org/stable/c/6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42"
}
],
"title": "sunrpc: fix null pointer dereference on zero-length checksum",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40129",
"datePublished": "2025-11-12T10:23:21.327Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2025-12-01T06:18:34.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53676 (GCVE-0-2023-53676)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2025-10-07 15:21
VLAI?
EPSS
Title
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
The function lio_target_nacl_info_show() uses sprintf() in a loop to print
details for every iSCSI connection in a session without checking for the
buffer length. With enough iSCSI connections it's possible to overflow the
buffer provided by configfs and corrupt the memory.
This patch replaces sprintf() with sysfs_emit_at() that checks for buffer
boundries.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < df349e84c2cb0dd05d98c8e1189c26ab4b116083
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 114b44dddea1f8f99576de3c0e6e9059012002fc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5353df78c22623b42a71d51226d228a8413097e2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4738bf8b2d3635c2944b81b2a84d97b8c8b0978d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0cac6cbb9908309352a5d30c1876882771d3da50 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 801f287c93ff95582b0a2d2163f12870a2f076d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df349e84c2cb0dd05d98c8e1189c26ab4b116083",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "114b44dddea1f8f99576de3c0e6e9059012002fc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5353df78c22623b42a71d51226d228a8413097e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4738bf8b2d3635c2944b81b2a84d97b8c8b0978d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0cac6cbb9908309352a5d30c1876882771d3da50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "801f287c93ff95582b0a2d2163f12870a2f076d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()\n\nThe function lio_target_nacl_info_show() uses sprintf() in a loop to print\ndetails for every iSCSI connection in a session without checking for the\nbuffer length. With enough iSCSI connections it\u0027s possible to overflow the\nbuffer provided by configfs and corrupt the memory.\n\nThis patch replaces sprintf() with sysfs_emit_at() that checks for buffer\nboundries."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:31.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df349e84c2cb0dd05d98c8e1189c26ab4b116083"
},
{
"url": "https://git.kernel.org/stable/c/114b44dddea1f8f99576de3c0e6e9059012002fc"
},
{
"url": "https://git.kernel.org/stable/c/2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6"
},
{
"url": "https://git.kernel.org/stable/c/bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a"
},
{
"url": "https://git.kernel.org/stable/c/5353df78c22623b42a71d51226d228a8413097e2"
},
{
"url": "https://git.kernel.org/stable/c/4738bf8b2d3635c2944b81b2a84d97b8c8b0978d"
},
{
"url": "https://git.kernel.org/stable/c/0cac6cbb9908309352a5d30c1876882771d3da50"
},
{
"url": "https://git.kernel.org/stable/c/801f287c93ff95582b0a2d2163f12870a2f076d4"
}
],
"title": "scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53676",
"datePublished": "2025-10-07T15:21:31.757Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:31.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40021 (GCVE-0-2025-40021)
Vulnerability from cvelistv5 – Published: 2025-10-24 12:24 – Updated: 2025-10-24 12:24
VLAI?
EPSS
Title
tracing: dynevent: Add a missing lockdown check on dynevent
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: dynevent: Add a missing lockdown check on dynevent
Since dynamic_events interface on tracefs is compatible with
kprobe_events and uprobe_events, it should also check the lockdown
status and reject if it is set.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < f3ac1f4eaba58e57943efa3e8b8d71fa7aab0abf
(git)
Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 0d41604d2d53c1abe27fefb54b37a8f6642a4d74 (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 07b1f63b5f86765793fab44d3d4c2be681cddafb (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 3887f3814c0e770e6b73567fe0f83a2c01a6470c (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 573b1e39edfcb7b4eecde0f1664455a1f4462eee (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < b47c4e06687a5a7b6c6ef4bd303fcfe4430b26bb (git) Affected: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 , < 456c32e3c4316654f95f9d49c12cbecfb77d5660 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_dynevent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3ac1f4eaba58e57943efa3e8b8d71fa7aab0abf",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "0d41604d2d53c1abe27fefb54b37a8f6642a4d74",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "07b1f63b5f86765793fab44d3d4c2be681cddafb",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "3887f3814c0e770e6b73567fe0f83a2c01a6470c",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "573b1e39edfcb7b4eecde0f1664455a1f4462eee",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "b47c4e06687a5a7b6c6ef4bd303fcfe4430b26bb",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "456c32e3c4316654f95f9d49c12cbecfb77d5660",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_dynevent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: dynevent: Add a missing lockdown check on dynevent\n\nSince dynamic_events interface on tracefs is compatible with\nkprobe_events and uprobe_events, it should also check the lockdown\nstatus and reject if it is set."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:24:57.107Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3ac1f4eaba58e57943efa3e8b8d71fa7aab0abf"
},
{
"url": "https://git.kernel.org/stable/c/0d41604d2d53c1abe27fefb54b37a8f6642a4d74"
},
{
"url": "https://git.kernel.org/stable/c/07b1f63b5f86765793fab44d3d4c2be681cddafb"
},
{
"url": "https://git.kernel.org/stable/c/3887f3814c0e770e6b73567fe0f83a2c01a6470c"
},
{
"url": "https://git.kernel.org/stable/c/573b1e39edfcb7b4eecde0f1664455a1f4462eee"
},
{
"url": "https://git.kernel.org/stable/c/b47c4e06687a5a7b6c6ef4bd303fcfe4430b26bb"
},
{
"url": "https://git.kernel.org/stable/c/456c32e3c4316654f95f9d49c12cbecfb77d5660"
}
],
"title": "tracing: dynevent: Add a missing lockdown check on dynevent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40021",
"datePublished": "2025-10-24T12:24:57.107Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-24T12:24:57.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40030 (GCVE-0-2025-40030)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
pinctrl: check the return value of pinmux_ops::get_function_name()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: check the return value of pinmux_ops::get_function_name()
While the API contract in docs doesn't specify it explicitly, the
generic implementation of the get_function_name() callback from struct
pinmux_ops - pinmux_generic_get_function_name() - can fail and return
NULL. This is already checked in pinmux_check_ops() so add a similar
check in pinmux_func_name_to_selector() instead of passing the returned
pointer right down to strcmp() where the NULL can get dereferenced. This
is normal operation when adding new pinfunctions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a7fc8fed2bb2e113604fde7a45432ace2056b97
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e7265dc4c670b89611bcf5fe33acf99bc0aa294f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d77ef2f621cd1d605372c4c6ce667c496f6990c3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ba7f7c2b2b3261e7def67018c38c69b626e0e66e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a2ea887a5cd7d47bab599f733d89444df018b1a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 688c688e0bf55824f4a38f8c2180046f089a3e3b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b7e0535060a60cc99eafc19cc665d979714cd73a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a7fc8fed2bb2e113604fde7a45432ace2056b97",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e7265dc4c670b89611bcf5fe33acf99bc0aa294f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d77ef2f621cd1d605372c4c6ce667c496f6990c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba7f7c2b2b3261e7def67018c38c69b626e0e66e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a2ea887a5cd7d47bab599f733d89444df018b1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "688c688e0bf55824f4a38f8c2180046f089a3e3b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b7e0535060a60cc99eafc19cc665d979714cd73a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4002ee98c022d671ecc1e4a84029e9ae7d8a5603",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: check the return value of pinmux_ops::get_function_name()\n\nWhile the API contract in docs doesn\u0027t specify it explicitly, the\ngeneric implementation of the get_function_name() callback from struct\npinmux_ops - pinmux_generic_get_function_name() - can fail and return\nNULL. This is already checked in pinmux_check_ops() so add a similar\ncheck in pinmux_func_name_to_selector() instead of passing the returned\npointer right down to strcmp() where the NULL can get dereferenced. This\nis normal operation when adding new pinfunctions."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:32.910Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a7fc8fed2bb2e113604fde7a45432ace2056b97"
},
{
"url": "https://git.kernel.org/stable/c/e7265dc4c670b89611bcf5fe33acf99bc0aa294f"
},
{
"url": "https://git.kernel.org/stable/c/d77ef2f621cd1d605372c4c6ce667c496f6990c3"
},
{
"url": "https://git.kernel.org/stable/c/ba7f7c2b2b3261e7def67018c38c69b626e0e66e"
},
{
"url": "https://git.kernel.org/stable/c/1a2ea887a5cd7d47bab599f733d89444df018b1a"
},
{
"url": "https://git.kernel.org/stable/c/688c688e0bf55824f4a38f8c2180046f089a3e3b"
},
{
"url": "https://git.kernel.org/stable/c/b7e0535060a60cc99eafc19cc665d979714cd73a"
},
{
"url": "https://git.kernel.org/stable/c/4002ee98c022d671ecc1e4a84029e9ae7d8a5603"
}
],
"title": "pinctrl: check the return value of pinmux_ops::get_function_name()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40030",
"datePublished": "2025-10-28T11:48:01.608Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:32.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53431 (GCVE-0-2023-53431)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:04 – Updated: 2025-10-02 07:04
VLAI?
EPSS
Title
scsi: ses: Handle enclosure with just a primary component gracefully
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Handle enclosure with just a primary component gracefully
This reverts commit 3fe97ff3d949 ("scsi: ses: Don't attach if enclosure
has no components") and introduces proper handling of case where there are
no detected secondary components, but primary component (enumerated in
num_enclosures) does exist. That fix was originally proposed by Ding Hui
<dinghui@sangfor.com.cn>.
Completely ignoring devices that have one primary enclosure and no
secondary one results in ses_intf_add() bailing completely
scsi 2:0:0:254: enclosure has no enumerated components
scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such
even on valid configurations with 1 primary and 0 secondary enclosures as
below:
# sg_ses /dev/sg0
3PARdata SES 3321
Supported diagnostic pages:
Supported Diagnostic Pages [sdp] [0x0]
Configuration (SES) [cf] [0x1]
Short Enclosure Status (SES) [ses] [0x8]
# sg_ses -p cf /dev/sg0
3PARdata SES 3321
Configuration diagnostic page:
number of secondary subenclosures: 0
generation code: 0x0
enclosure descriptor list
Subenclosure identifier: 0 [primary]
relative ES process id: 0, number of ES processes: 1
number of type descriptor headers: 1
enclosure logical identifier (hex): 20000002ac02068d
enclosure vendor: 3PARdata product: VV rev: 3321
type descriptor header and text list
Element type: Unspecified, subenclosure id: 0
number of possible elements: 1
The changelog for the original fix follows
=====
We can get a crash when disconnecting the iSCSI session,
the call trace like this:
[ffff00002a00fb70] kfree at ffff00000830e224
[ffff00002a00fba0] ses_intf_remove at ffff000001f200e4
[ffff00002a00fbd0] device_del at ffff0000086b6a98
[ffff00002a00fc50] device_unregister at ffff0000086b6d58
[ffff00002a00fc70] __scsi_remove_device at ffff00000870608c
[ffff00002a00fca0] scsi_remove_device at ffff000008706134
[ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4
[ffff00002a00fd10] scsi_remove_target at ffff0000087064c0
[ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4
[ffff00002a00fdb0] process_one_work at ffff00000810f35c
[ffff00002a00fe00] worker_thread at ffff00000810f648
[ffff00002a00fe70] kthread at ffff000008116e98
In ses_intf_add, components count could be 0, and kcalloc 0 size scomp,
but not saved in edev->component[i].scratch
In this situation, edev->component[0].scratch is an invalid pointer,
when kfree it in ses_intf_remove_enclosure, a crash like above would happen
The call trace also could be other random cases when kfree cannot catch
the invalid pointer
We should not use edev->component[] array when the components count is 0
We also need check index when use edev->component[] array in
ses_enclosure_data_process
=====
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9927c68864e9c39cc317b4f559309ba29e642168 , < 4e7c498c3713b09bef20c76c7319555637e8bbd5
(git)
Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 110d425cdfb15006f3c4fde5264e786a247b6b36 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 176d7345b89ced72020a313bfa4e7f345d1c3aed (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 05143d90ac90b7abc6692285895a1ef460e008ee (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < f8e702c54413eee2d8f94f61d18adadac7c87e87 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < eabc4872f172ecb8dd8536bc366a51868154a450 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < c8e22b7a1694bb8d025ea636816472739d859145 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e7c498c3713b09bef20c76c7319555637e8bbd5",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "110d425cdfb15006f3c4fde5264e786a247b6b36",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "176d7345b89ced72020a313bfa4e7f345d1c3aed",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "05143d90ac90b7abc6692285895a1ef460e008ee",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "f8e702c54413eee2d8f94f61d18adadac7c87e87",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "eabc4872f172ecb8dd8536bc366a51868154a450",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "c8e22b7a1694bb8d025ea636816472739d859145",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Handle enclosure with just a primary component gracefully\n\nThis reverts commit 3fe97ff3d949 (\"scsi: ses: Don\u0027t attach if enclosure\nhas no components\") and introduces proper handling of case where there are\nno detected secondary components, but primary component (enumerated in\nnum_enclosures) does exist. That fix was originally proposed by Ding Hui\n\u003cdinghui@sangfor.com.cn\u003e.\n\nCompletely ignoring devices that have one primary enclosure and no\nsecondary one results in ses_intf_add() bailing completely\n\n\tscsi 2:0:0:254: enclosure has no enumerated components\n scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such\n\neven on valid configurations with 1 primary and 0 secondary enclosures as\nbelow:\n\n\t# sg_ses /dev/sg0\n\t 3PARdata SES 3321\n\tSupported diagnostic pages:\n\t Supported Diagnostic Pages [sdp] [0x0]\n\t Configuration (SES) [cf] [0x1]\n\t Short Enclosure Status (SES) [ses] [0x8]\n\t# sg_ses -p cf /dev/sg0\n\t 3PARdata SES 3321\n\tConfiguration diagnostic page:\n\t number of secondary subenclosures: 0\n\t generation code: 0x0\n\t enclosure descriptor list\n\t Subenclosure identifier: 0 [primary]\n\t relative ES process id: 0, number of ES processes: 1\n\t number of type descriptor headers: 1\n\t enclosure logical identifier (hex): 20000002ac02068d\n\t enclosure vendor: 3PARdata product: VV rev: 3321\n\t type descriptor header and text list\n\t Element type: Unspecified, subenclosure id: 0\n\t number of possible elements: 1\n\nThe changelog for the original fix follows\n\n=====\nWe can get a crash when disconnecting the iSCSI session,\nthe call trace like this:\n\n [ffff00002a00fb70] kfree at ffff00000830e224\n [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4\n [ffff00002a00fbd0] device_del at ffff0000086b6a98\n [ffff00002a00fc50] device_unregister at ffff0000086b6d58\n [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c\n [ffff00002a00fca0] scsi_remove_device at ffff000008706134\n [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4\n [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0\n [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4\n [ffff00002a00fdb0] process_one_work at ffff00000810f35c\n [ffff00002a00fe00] worker_thread at ffff00000810f648\n [ffff00002a00fe70] kthread at ffff000008116e98\n\nIn ses_intf_add, components count could be 0, and kcalloc 0 size scomp,\nbut not saved in edev-\u003ecomponent[i].scratch\n\nIn this situation, edev-\u003ecomponent[0].scratch is an invalid pointer,\nwhen kfree it in ses_intf_remove_enclosure, a crash like above would happen\nThe call trace also could be other random cases when kfree cannot catch\nthe invalid pointer\n\nWe should not use edev-\u003ecomponent[] array when the components count is 0\nWe also need check index when use edev-\u003ecomponent[] array in\nses_enclosure_data_process\n====="
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:20.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e7c498c3713b09bef20c76c7319555637e8bbd5"
},
{
"url": "https://git.kernel.org/stable/c/110d425cdfb15006f3c4fde5264e786a247b6b36"
},
{
"url": "https://git.kernel.org/stable/c/176d7345b89ced72020a313bfa4e7f345d1c3aed"
},
{
"url": "https://git.kernel.org/stable/c/05143d90ac90b7abc6692285895a1ef460e008ee"
},
{
"url": "https://git.kernel.org/stable/c/f8e702c54413eee2d8f94f61d18adadac7c87e87"
},
{
"url": "https://git.kernel.org/stable/c/eabc4872f172ecb8dd8536bc366a51868154a450"
},
{
"url": "https://git.kernel.org/stable/c/c8e22b7a1694bb8d025ea636816472739d859145"
}
],
"title": "scsi: ses: Handle enclosure with just a primary component gracefully",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53431",
"datePublished": "2025-09-18T16:04:11.748Z",
"dateReserved": "2025-09-17T14:54:09.745Z",
"dateUpdated": "2025-10-02T07:04:20.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40159 (GCVE-0-2025-40159)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:24 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
xsk: Harden userspace-supplied xdp_desc validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
xsk: Harden userspace-supplied xdp_desc validation
Turned out certain clearly invalid values passed in xdp_desc from
userspace can pass xp_{,un}aligned_validate_desc() and then lead
to UBs or just invalid frames to be queued for xmit.
desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len
can cause positive integer overflow and wraparound, the same way low
enough desc->addr with a non-zero pool->tx_metadata_len can cause
negative integer overflow. Both scenarios can then pass the
validation successfully.
This doesn't happen with valid XSk applications, but can be used
to perform attacks.
Always promote desc->len to ``u64`` first to exclude positive
overflows of it. Use explicit check_{add,sub}_overflow() when
validating desc->addr (which is ``u64`` already).
bloat-o-meter reports a little growth of the code size:
add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)
Function old new delta
xskq_cons_peek_desc 299 330 +31
xsk_tx_peek_release_desc_batch 973 1002 +29
xsk_generic_xmit 3148 3132 -16
but hopefully this doesn't hurt the performance much.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 1463cd066f32efd56ddfd3ac4e3524200f362980
(git)
Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 5b5fffa7c81e55d8c8edf05ad40d811ec7047e21 (git) Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 07ca98f906a403637fc5e513a872a50ef1247f3b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk_queue.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1463cd066f32efd56ddfd3ac4e3524200f362980",
"status": "affected",
"version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
"versionType": "git"
},
{
"lessThan": "5b5fffa7c81e55d8c8edf05ad40d811ec7047e21",
"status": "affected",
"version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
"versionType": "git"
},
{
"lessThan": "07ca98f906a403637fc5e513a872a50ef1247f3b",
"status": "affected",
"version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk_queue.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc-\u003elen close to ``U32_MAX`` with a non-zero pool-\u003etx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc-\u003eaddr with a non-zero pool-\u003etx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn\u0027t happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc-\u003elen to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc-\u003eaddr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction old new delta\nxskq_cons_peek_desc 299 330 +31\nxsk_tx_peek_release_desc_batch 973 1002 +29\nxsk_generic_xmit 3148 3132 -16\n\nbut hopefully this doesn\u0027t hurt the performance much."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:10.673Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980"
},
{
"url": "https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21"
},
{
"url": "https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b"
}
],
"title": "xsk: Harden userspace-supplied xdp_desc validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40159",
"datePublished": "2025-11-12T10:24:36.104Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:10.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40027 (GCVE-0-2025-40027)
Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
net/9p: fix double req put in p9_fd_cancelled
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/9p: fix double req put in p9_fd_cancelled
Syzkaller reports a KASAN issue as below:
general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]
CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__list_del include/linux/list.h:114 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]
RIP: 0010:list_del include/linux/list.h:148 [inline]
RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734
Call Trace:
<TASK>
p9_client_flush+0x351/0x440 net/9p/client.c:614
p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734
p9_client_version net/9p/client.c:920 [inline]
p9_client_create+0xb51/0x1240 net/9p/client.c:1027
v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408
v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126
legacy_get_tree+0x108/0x220 fs/fs_context.c:632
vfs_get_tree+0x8e/0x300 fs/super.c:1573
do_new_mount fs/namespace.c:3056 [inline]
path_mount+0x6a6/0x1e90 fs/namespace.c:3386
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
This happens because of a race condition between:
- The 9p client sending an invalid flush request and later cleaning it up;
- The 9p client in p9_read_work() canceled all pending requests.
Thread 1 Thread 2
...
p9_client_create()
...
p9_fd_create()
...
p9_conn_create()
...
// start Thread 2
INIT_WORK(&m->rq, p9_read_work);
p9_read_work()
...
p9_client_rpc()
...
...
p9_conn_cancel()
...
spin_lock(&m->req_lock);
...
p9_fd_cancelled()
...
...
spin_unlock(&m->req_lock);
// status rewrite
p9_client_cb(m->client, req, REQ_STATUS_ERROR)
// first remove
list_del(&req->req_list);
...
spin_lock(&m->req_lock)
...
// second remove
list_del(&req->req_list);
spin_unlock(&m->req_lock)
...
Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in
p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem
client where the req_list could be deleted simultaneously by both
p9_read_work and p9_fd_cancelled functions, but for the case where req->status
equals REQ_STATUS_RCVD.
Update the check for req->status in p9_fd_cancelled to skip processing not
just received requests, but anything that is not SENT, as whatever
changed the state from SENT also removed the request from its list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
[updated the check from status == RECV || status == ERROR to status != SENT]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
afd8d65411551839b7ab14a539d00075b2793451 , < a5901a0dfb5964525990106706ae8b98db098226
(git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 5c64c0b7b3446f7ed088a13bc8d7487d66534cbb (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < c1db864270eb7fea94a9ef201da0c9dc1cbab7b8 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 0e0097005abc02c9f262370674f855625f4f3fb4 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 284e67a93b8c48952b6fc82129a8d3eb9dc73b06 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 448db01a48e1cdbbc31c995716a5dac1e52ba036 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 94797b84cb9985022eb9cb3275c9497fbc883bb6 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5901a0dfb5964525990106706ae8b98db098226",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "5c64c0b7b3446f7ed088a13bc8d7487d66534cbb",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "c1db864270eb7fea94a9ef201da0c9dc1cbab7b8",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "0e0097005abc02c9f262370674f855625f4f3fb4",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "284e67a93b8c48952b6fc82129a8d3eb9dc73b06",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "448db01a48e1cdbbc31c995716a5dac1e52ba036",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "94797b84cb9985022eb9cb3275c9497fbc883bb6",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "674b56aa57f9379854cb6798c3bbcef7e7b51ab7",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix double req put in p9_fd_cancelled\n\nSyzkaller reports a KASAN issue as below:\n\ngeneral protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]\nCPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:__list_del include/linux/list.h:114 [inline]\nRIP: 0010:__list_del_entry include/linux/list.h:137 [inline]\nRIP: 0010:list_del include/linux/list.h:148 [inline]\nRIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734\n\nCall Trace:\n \u003cTASK\u003e\n p9_client_flush+0x351/0x440 net/9p/client.c:614\n p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734\n p9_client_version net/9p/client.c:920 [inline]\n p9_client_create+0xb51/0x1240 net/9p/client.c:1027\n v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408\n v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126\n legacy_get_tree+0x108/0x220 fs/fs_context.c:632\n vfs_get_tree+0x8e/0x300 fs/super.c:1573\n do_new_mount fs/namespace.c:3056 [inline]\n path_mount+0x6a6/0x1e90 fs/namespace.c:3386\n do_mount fs/namespace.c:3399 [inline]\n __do_sys_mount fs/namespace.c:3607 [inline]\n __se_sys_mount fs/namespace.c:3584 [inline]\n __x64_sys_mount+0x283/0x300 fs/namespace.c:3584\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nThis happens because of a race condition between:\n\n- The 9p client sending an invalid flush request and later cleaning it up;\n- The 9p client in p9_read_work() canceled all pending requests.\n\n Thread 1 Thread 2\n ...\n p9_client_create()\n ...\n p9_fd_create()\n ...\n p9_conn_create()\n ...\n // start Thread 2\n INIT_WORK(\u0026m-\u003erq, p9_read_work);\n p9_read_work()\n ...\n p9_client_rpc()\n ...\n ...\n p9_conn_cancel()\n ...\n spin_lock(\u0026m-\u003ereq_lock);\n ...\n p9_fd_cancelled()\n ...\n ...\n spin_unlock(\u0026m-\u003ereq_lock);\n // status rewrite\n p9_client_cb(m-\u003eclient, req, REQ_STATUS_ERROR)\n // first remove\n list_del(\u0026req-\u003ereq_list);\n ...\n\n spin_lock(\u0026m-\u003ereq_lock)\n ...\n // second remove\n list_del(\u0026req-\u003ereq_list);\n spin_unlock(\u0026m-\u003ereq_lock)\n ...\n\nCommit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in\np9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem\nclient where the req_list could be deleted simultaneously by both\np9_read_work and p9_fd_cancelled functions, but for the case where req-\u003estatus\nequals REQ_STATUS_RCVD.\n\nUpdate the check for req-\u003estatus in p9_fd_cancelled to skip processing not\njust received requests, but anything that is not SENT, as whatever\nchanged the state from SENT also removed the request from its list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\n[updated the check from status == RECV || status == ERROR to status != SENT]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:29.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5901a0dfb5964525990106706ae8b98db098226"
},
{
"url": "https://git.kernel.org/stable/c/5c64c0b7b3446f7ed088a13bc8d7487d66534cbb"
},
{
"url": "https://git.kernel.org/stable/c/c1db864270eb7fea94a9ef201da0c9dc1cbab7b8"
},
{
"url": "https://git.kernel.org/stable/c/0e0097005abc02c9f262370674f855625f4f3fb4"
},
{
"url": "https://git.kernel.org/stable/c/284e67a93b8c48952b6fc82129a8d3eb9dc73b06"
},
{
"url": "https://git.kernel.org/stable/c/716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6"
},
{
"url": "https://git.kernel.org/stable/c/448db01a48e1cdbbc31c995716a5dac1e52ba036"
},
{
"url": "https://git.kernel.org/stable/c/94797b84cb9985022eb9cb3275c9497fbc883bb6"
},
{
"url": "https://git.kernel.org/stable/c/674b56aa57f9379854cb6798c3bbcef7e7b51ab7"
}
],
"title": "net/9p: fix double req put in p9_fd_cancelled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40027",
"datePublished": "2025-10-28T09:32:34.162Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:29.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40048 (GCVE-0-2025-40048)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
uio_hv_generic: Let userspace take care of interrupt mask
Summary
In the Linux kernel, the following vulnerability has been resolved:
uio_hv_generic: Let userspace take care of interrupt mask
Remove the logic to set interrupt mask by default in uio_hv_generic
driver as the interrupt mask value is supposed to be controlled
completely by the user space. If the mask bit gets changed
by the driver, concurrently with user mode operating on the ring,
the mask bit may be set when it is supposed to be clear, and the
user-mode driver will miss an interrupt which will cause a hang.
For eg- when the driver sets inbound ring buffer interrupt mask to 1,
the host does not interrupt the guest on the UIO VMBus channel.
However, setting the mask does not prevent the host from putting a
message in the inbound ring buffer. So let’s assume that happens,
the host puts a message into the ring buffer but does not interrupt.
Subsequently, the user space code in the guest sets the inbound ring
buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”.
User space code then calls pread() to wait for an interrupt.
Then one of two things happens:
* The host never sends another message. So the pread() waits forever.
* The host does send another message. But because there’s already a
message in the ring buffer, it doesn’t generate an interrupt.
This is the correct behavior, because the host should only send an
interrupt when the inbound ring buffer transitions from empty to
not-empty. Adding an additional message to a ring buffer that is not
empty is not supposed to generate an interrupt on the guest.
Since the guest is waiting in pread() and not removing messages from
the ring buffer, the pread() waits forever.
This could be easily reproduced in hv_fcopy_uio_daemon if we delay
setting interrupt mask to 0.
Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,
there’s a race condition. Once user space empties the inbound ring
buffer, but before user space sets interrupt_mask to 0, the host could
put another message in the ring buffer but it wouldn’t interrupt.
Then the next pread() would hang.
Fix these by removing all instances where interrupt_mask is changed,
while keeping the one in set_event() unchanged to enable userspace
control the interrupt mask by writing 0/1 to /dev/uioX.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95096f2fbd10186d3e78a328b327afc71428f65f , < 540aac117eaea5723cef5e4cbf3035c4ac654d92
(git)
Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 65d40acd911c7011745cbbd2aaac34eb5266d11e (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < a44f61f878f32071d6378e8dd7c2d47f9490c8f7 (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 01ce972e6f9974a7c76943bcb7e93746917db83a (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 2af39ab5e6dc46b835a52e80a22d0cad430985e3 (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 37bd91f22794dc05436130d6983302cb90ecfe7e (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < e29587c07537929684faa365027f4b0d87521e1b (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < b15b7d2a1b09ef5428a8db260251897405a19496 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_hv_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "540aac117eaea5723cef5e4cbf3035c4ac654d92",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "65d40acd911c7011745cbbd2aaac34eb5266d11e",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "a44f61f878f32071d6378e8dd7c2d47f9490c8f7",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "01ce972e6f9974a7c76943bcb7e93746917db83a",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "2af39ab5e6dc46b835a52e80a22d0cad430985e3",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "37bd91f22794dc05436130d6983302cb90ecfe7e",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "e29587c07537929684faa365027f4b0d87521e1b",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "b15b7d2a1b09ef5428a8db260251897405a19496",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_hv_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Let userspace take care of interrupt mask\n\nRemove the logic to set interrupt mask by default in uio_hv_generic\ndriver as the interrupt mask value is supposed to be controlled\ncompletely by the user space. If the mask bit gets changed\nby the driver, concurrently with user mode operating on the ring,\nthe mask bit may be set when it is supposed to be clear, and the\nuser-mode driver will miss an interrupt which will cause a hang.\n\nFor eg- when the driver sets inbound ring buffer interrupt mask to 1,\nthe host does not interrupt the guest on the UIO VMBus channel.\nHowever, setting the mask does not prevent the host from putting a\nmessage in the inbound ring buffer.\u00a0So let\u2019s assume that happens,\nthe host puts a message into the ring buffer but does not interrupt.\n\nSubsequently, the user space code in the guest sets the inbound ring\nbuffer interrupt mask to 0, saying \u201cHey, I\u2019m ready for interrupts\u201d.\nUser space code then calls pread() to wait for an interrupt.\nThen one of two things happens:\n\n* The host never sends another message. So the pread() waits forever.\n* The host does send another message. But because there\u2019s already a\n message in the ring buffer, it doesn\u2019t generate an interrupt.\n This is the correct behavior, because the host should only send an\n interrupt when the inbound ring buffer transitions from empty to\n not-empty. Adding an additional message to a ring buffer that is not\n empty is not supposed to generate an interrupt on the guest.\n Since the guest is waiting in pread() and not removing messages from\n the ring buffer, the pread() waits forever.\n\nThis could be easily reproduced in hv_fcopy_uio_daemon if we delay\nsetting interrupt mask to 0.\n\nSimilarly if hv_uio_channel_cb() sets the interrupt_mask to 1,\nthere\u2019s a race condition. Once user space empties the inbound ring\nbuffer, but before user space sets interrupt_mask to 0, the host could\nput another message in the ring buffer but it wouldn\u2019t interrupt.\nThen the next pread() would hang.\n\nFix these by removing all instances where interrupt_mask is changed,\nwhile keeping the one in set_event() unchanged to enable userspace\ncontrol the interrupt mask by writing 0/1 to /dev/uioX."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:53.799Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/540aac117eaea5723cef5e4cbf3035c4ac654d92"
},
{
"url": "https://git.kernel.org/stable/c/65d40acd911c7011745cbbd2aaac34eb5266d11e"
},
{
"url": "https://git.kernel.org/stable/c/a44f61f878f32071d6378e8dd7c2d47f9490c8f7"
},
{
"url": "https://git.kernel.org/stable/c/01ce972e6f9974a7c76943bcb7e93746917db83a"
},
{
"url": "https://git.kernel.org/stable/c/2af39ab5e6dc46b835a52e80a22d0cad430985e3"
},
{
"url": "https://git.kernel.org/stable/c/37bd91f22794dc05436130d6983302cb90ecfe7e"
},
{
"url": "https://git.kernel.org/stable/c/e29587c07537929684faa365027f4b0d87521e1b"
},
{
"url": "https://git.kernel.org/stable/c/b15b7d2a1b09ef5428a8db260251897405a19496"
}
],
"title": "uio_hv_generic: Let userspace take care of interrupt mask",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40048",
"datePublished": "2025-10-28T11:48:25.220Z",
"dateReserved": "2025-04-16T07:20:57.156Z",
"dateUpdated": "2025-12-01T06:16:53.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40140 (GCVE-0-2025-40140)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.
This is the sequence of events that leads to the warning:
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb);
}
rtl8150_set_multicast() {
netif_stop_queue();
netif_wake_queue(); <-- wakes up TX queue before URB is done
}
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb); <-- double submission
}
rtl8150_set_multicast being the ndo_set_rx_mode callback should not be
calling netif_stop_queue and notif_start_queue as these handle
TX queue synchronization.
The net core function dev_set_rx_mode handles the synchronization
for rtl8150_set_multicast making it safe to remove these locks.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cce3c0e21cdd15bcba5c35d3af1700186de8f187
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a08a37ac03d07a1608a1592791041cac979fbc3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 54f8ef1a970a8376e5846ed90854decf7c00555d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 114e05344763a102a8844efd96ec06ba99293ccd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6394bade9daab8e318c165fe43bba012bf13cd8e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6053e47bbf212b93c051beb4261d7d5a409d0ce3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9d72df7f5eac946f853bf49c428c4e87a17d91da (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 958baf5eaee394e5fd976979b0791a875f14a179 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cce3c0e21cdd15bcba5c35d3af1700186de8f187",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a08a37ac03d07a1608a1592791041cac979fbc3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "54f8ef1a970a8376e5846ed90854decf7c00555d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "114e05344763a102a8844efd96ec06ba99293ccd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6394bade9daab8e318c165fe43bba012bf13cd8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6053e47bbf212b93c051beb4261d7d5a409d0ce3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d72df7f5eac946f853bf49c428c4e87a17d91da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "958baf5eaee394e5fd976979b0791a875f14a179",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast\n\nsyzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.\nThis is the sequence of events that leads to the warning:\n\nrtl8150_start_xmit() {\n\tnetif_stop_queue();\n\tusb_submit_urb(dev-\u003etx_urb);\n}\n\nrtl8150_set_multicast() {\n\tnetif_stop_queue();\n\tnetif_wake_queue();\t\t\u003c-- wakes up TX queue before URB is done\n}\n\nrtl8150_start_xmit() {\n\tnetif_stop_queue();\n\tusb_submit_urb(dev-\u003etx_urb);\t\u003c-- double submission\n}\n\nrtl8150_set_multicast being the ndo_set_rx_mode callback should not be\ncalling netif_stop_queue and notif_start_queue as these handle\nTX queue synchronization.\n\nThe net core function dev_set_rx_mode handles the synchronization\nfor rtl8150_set_multicast making it safe to remove these locks."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:48.351Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cce3c0e21cdd15bcba5c35d3af1700186de8f187"
},
{
"url": "https://git.kernel.org/stable/c/1a08a37ac03d07a1608a1592791041cac979fbc3"
},
{
"url": "https://git.kernel.org/stable/c/54f8ef1a970a8376e5846ed90854decf7c00555d"
},
{
"url": "https://git.kernel.org/stable/c/114e05344763a102a8844efd96ec06ba99293ccd"
},
{
"url": "https://git.kernel.org/stable/c/6394bade9daab8e318c165fe43bba012bf13cd8e"
},
{
"url": "https://git.kernel.org/stable/c/6053e47bbf212b93c051beb4261d7d5a409d0ce3"
},
{
"url": "https://git.kernel.org/stable/c/9d72df7f5eac946f853bf49c428c4e87a17d91da"
},
{
"url": "https://git.kernel.org/stable/c/958baf5eaee394e5fd976979b0791a875f14a179"
}
],
"title": "net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40140",
"datePublished": "2025-11-12T10:23:24.586Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:48.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40118 (GCVE-0-2025-40118)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when
device is gone") UBSAN reports:
UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17
index 28 is out of range for type 'pm8001_phy [16]'
on rmmod when using an expander.
For a direct attached device, attached_phy contains the local phy id.
For a device behind an expander, attached_phy contains the remote phy
id, not the local phy id.
I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a
device behind an expander, attached_phy can be much larger than
pm8001_ha->chip->n_phy (depending on the amount of phys of the
expander).
E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the
ports has an expander connected. The expander has 31 phys with phy ids
0-30.
The pm8001_ha->phy array only contains the phys of the HBA. It does not
contain the phys of the expander. Thus, it is wrong to use attached_phy
to index the pm8001_ha->phy array for a device behind an expander.
Thus, we can only clear phy_attached for devices that are directly
attached.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
05b512879eab41faa515b67fa3896d0005e97909 , < d94be0a6ae9ade706d4270e740bdb4f79953a7fc
(git)
Affected: bc2140c8136200b4437e1abc0fb659968cb9baab , < 45acbf154befedd9bc135f5e031fe7855d1e6493 (git) Affected: 1d8f9378cb4800c18e20d80ecd605b2b93e87a03 , < eef5ef400893f8e3dbb09342583be0cdc716d566 (git) Affected: 30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a , < 9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582 (git) Affected: a862d24e1fc3ab1b5e5f20878d2898cea346d0ec , < e62251954a128a2d0fcbc19e5fa39e08935bb628 (git) Affected: 0f9802f174227f553959422f844eeb9ba72467fe , < 9326a1541e1b7ed3efdbab72061b82cf01c6477a (git) Affected: f7b705c238d1483f0a766e2b20010f176e5c0fb7 , < 83ced3c206c292458e47c7fac54223abc7141585 (git) Affected: f7b705c238d1483f0a766e2b20010f176e5c0fb7 , < 251be2f6037fb7ab399f68cd7428ff274133d693 (git) Affected: 722026c010fa75bcf9e2373aff1d7930a3d7e3cf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d94be0a6ae9ade706d4270e740bdb4f79953a7fc",
"status": "affected",
"version": "05b512879eab41faa515b67fa3896d0005e97909",
"versionType": "git"
},
{
"lessThan": "45acbf154befedd9bc135f5e031fe7855d1e6493",
"status": "affected",
"version": "bc2140c8136200b4437e1abc0fb659968cb9baab",
"versionType": "git"
},
{
"lessThan": "eef5ef400893f8e3dbb09342583be0cdc716d566",
"status": "affected",
"version": "1d8f9378cb4800c18e20d80ecd605b2b93e87a03",
"versionType": "git"
},
{
"lessThan": "9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582",
"status": "affected",
"version": "30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a",
"versionType": "git"
},
{
"lessThan": "e62251954a128a2d0fcbc19e5fa39e08935bb628",
"status": "affected",
"version": "a862d24e1fc3ab1b5e5f20878d2898cea346d0ec",
"versionType": "git"
},
{
"lessThan": "9326a1541e1b7ed3efdbab72061b82cf01c6477a",
"status": "affected",
"version": "0f9802f174227f553959422f844eeb9ba72467fe",
"versionType": "git"
},
{
"lessThan": "83ced3c206c292458e47c7fac54223abc7141585",
"status": "affected",
"version": "f7b705c238d1483f0a766e2b20010f176e5c0fb7",
"versionType": "git"
},
{
"lessThan": "251be2f6037fb7ab399f68cd7428ff274133d693",
"status": "affected",
"version": "f7b705c238d1483f0a766e2b20010f176e5c0fb7",
"versionType": "git"
},
{
"status": "affected",
"version": "722026c010fa75bcf9e2373aff1d7930a3d7e3cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.136",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.12.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod\n\nSince commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when\ndevice is gone\") UBSAN reports:\n\n UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17\n index 28 is out of range for type \u0027pm8001_phy [16]\u0027\n\non rmmod when using an expander.\n\nFor a direct attached device, attached_phy contains the local phy id.\nFor a device behind an expander, attached_phy contains the remote phy\nid, not the local phy id.\n\nI.e. while pm8001_ha will have pm8001_ha-\u003echip-\u003en_phy local phys, for a\ndevice behind an expander, attached_phy can be much larger than\npm8001_ha-\u003echip-\u003en_phy (depending on the amount of phys of the\nexpander).\n\nE.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the\nports has an expander connected. The expander has 31 phys with phy ids\n0-30.\n\nThe pm8001_ha-\u003ephy array only contains the phys of the HBA. It does not\ncontain the phys of the expander. Thus, it is wrong to use attached_phy\nto index the pm8001_ha-\u003ephy array for a device behind an expander.\n\nThus, we can only clear phy_attached for devices that are directly\nattached."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:22.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d94be0a6ae9ade706d4270e740bdb4f79953a7fc"
},
{
"url": "https://git.kernel.org/stable/c/45acbf154befedd9bc135f5e031fe7855d1e6493"
},
{
"url": "https://git.kernel.org/stable/c/eef5ef400893f8e3dbb09342583be0cdc716d566"
},
{
"url": "https://git.kernel.org/stable/c/9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582"
},
{
"url": "https://git.kernel.org/stable/c/e62251954a128a2d0fcbc19e5fa39e08935bb628"
},
{
"url": "https://git.kernel.org/stable/c/9326a1541e1b7ed3efdbab72061b82cf01c6477a"
},
{
"url": "https://git.kernel.org/stable/c/83ced3c206c292458e47c7fac54223abc7141585"
},
{
"url": "https://git.kernel.org/stable/c/251be2f6037fb7ab399f68cd7428ff274133d693"
}
],
"title": "scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40118",
"datePublished": "2025-11-12T10:23:18.179Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:22.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50253 (GCVE-0-2022-50253)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:02 – Updated: 2025-12-23 13:27
VLAI?
EPSS
Title
bpf: make sure skb->len != 0 when redirecting to a tunneling device
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: make sure skb->len != 0 when redirecting to a tunneling device
syzkaller managed to trigger another case where skb->len == 0
when we enter __dev_queue_xmit:
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295
Call Trace:
dev_queue_xmit+0x17/0x20 net/core/dev.c:4406
__bpf_tx_skb net/core/filter.c:2115 [inline]
__bpf_redirect_no_mac net/core/filter.c:2140 [inline]
__bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163
____bpf_clone_redirect net/core/filter.c:2447 [inline]
bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419
bpf_prog_48159a89cb4a9a16+0x59/0x5e
bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]
__bpf_prog_run include/linux/filter.h:596 [inline]
bpf_prog_run include/linux/filter.h:603 [inline]
bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402
bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170
bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648
__sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005
__do_sys_bpf kernel/bpf/syscall.c:5091 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5089 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089
do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x61/0xc6
The reproducer doesn't really reproduce outside of syzkaller
environment, so I'm taking a guess here. It looks like we
do generate correct ETH_HLEN-sized packet, but we redirect
the packet to the tunneling device. Before we do so, we
__skb_pull l2 header and arrive again at skb->len == 0.
Doesn't seem like we can do anything better than having
an explicit check after __skb_pull?
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < ffbccc5fb0a67424e12f7f8da210c04c8063f797
(git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < e6a63203e5a90a39392fa1a7ffc60f5e9baf642a (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 772431f30ca040cfbf31b791d468bac6a9ca74d3 (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 6d935a02658be82585ecb39aab339faa84496650 (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5 (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 1b65704b8c08ae92db29f720d3b298031131da53 (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < f186303845a01cc7e991f9dc51d7e5a3cdc7aedb (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffbccc5fb0a67424e12f7f8da210c04c8063f797",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "e6a63203e5a90a39392fa1a7ffc60f5e9baf642a",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "772431f30ca040cfbf31b791d468bac6a9ca74d3",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "6d935a02658be82585ecb39aab339faa84496650",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "1b65704b8c08ae92db29f720d3b298031131da53",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "f186303845a01cc7e991f9dc51d7e5a3cdc7aedb",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "07ec7b502800ba9f7b8b15cb01dd6556bb41aaca",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: make sure skb-\u003elen != 0 when redirecting to a tunneling device\n\nsyzkaller managed to trigger another case where skb-\u003elen == 0\nwhen we enter __dev_queue_xmit:\n\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295\n\nCall Trace:\n dev_queue_xmit+0x17/0x20 net/core/dev.c:4406\n __bpf_tx_skb net/core/filter.c:2115 [inline]\n __bpf_redirect_no_mac net/core/filter.c:2140 [inline]\n __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163\n ____bpf_clone_redirect net/core/filter.c:2447 [inline]\n bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419\n bpf_prog_48159a89cb4a9a16+0x59/0x5e\n bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]\n __bpf_prog_run include/linux/filter.h:596 [inline]\n bpf_prog_run include/linux/filter.h:603 [inline]\n bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402\n bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170\n bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648\n __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005\n __do_sys_bpf kernel/bpf/syscall.c:5091 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5089 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089\n do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThe reproducer doesn\u0027t really reproduce outside of syzkaller\nenvironment, so I\u0027m taking a guess here. It looks like we\ndo generate correct ETH_HLEN-sized packet, but we redirect\nthe packet to the tunneling device. Before we do so, we\n__skb_pull l2 header and arrive again at skb-\u003elen == 0.\nDoesn\u0027t seem like we can do anything better than having\nan explicit check after __skb_pull?"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:27:37.407Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797"
},
{
"url": "https://git.kernel.org/stable/c/e6a63203e5a90a39392fa1a7ffc60f5e9baf642a"
},
{
"url": "https://git.kernel.org/stable/c/772431f30ca040cfbf31b791d468bac6a9ca74d3"
},
{
"url": "https://git.kernel.org/stable/c/6d935a02658be82585ecb39aab339faa84496650"
},
{
"url": "https://git.kernel.org/stable/c/5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5"
},
{
"url": "https://git.kernel.org/stable/c/1b65704b8c08ae92db29f720d3b298031131da53"
},
{
"url": "https://git.kernel.org/stable/c/f186303845a01cc7e991f9dc51d7e5a3cdc7aedb"
},
{
"url": "https://git.kernel.org/stable/c/07ec7b502800ba9f7b8b15cb01dd6556bb41aaca"
}
],
"title": "bpf: make sure skb-\u003elen != 0 when redirecting to a tunneling device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50253",
"datePublished": "2025-09-15T14:02:34.849Z",
"dateReserved": "2025-09-15T13:58:00.973Z",
"dateUpdated": "2025-12-23T13:27:37.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40172 (GCVE-0-2025-40172)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:53 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()
Currently, if find_and_map_user_pages() takes a DMA xfer request from the
user with a length field set to 0, or in a rare case, the host receives
QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size
is equal to the requested transaction size, the function will return 0
before allocating an sgt or setting the fields of the dma_xfer struct.
In that case, encode_addr_size_pairs() will try to access the sgt which
will lead to a general protection fault.
Return an EINVAL in case the user provides a zero-sized ALP, or the device
requests continuation after all of the bytes have been transferred.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
96d3c1cadedb6ae2e8965e19cd12caa244afbd9c , < 48b1d42286bfef7628b1d6c8c28d4e456c90f725
(git)
Affected: 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c , < 551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede (git) Affected: 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c , < 1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6 (git) Affected: 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c , < 11f08c30a3e4157305ba692f1d44cca5fc9a8fca (git) Affected: d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48b1d42286bfef7628b1d6c8c28d4e456c90f725",
"status": "affected",
"version": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"versionType": "git"
},
{
"lessThan": "551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede",
"status": "affected",
"version": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"versionType": "git"
},
{
"lessThan": "1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6",
"status": "affected",
"version": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"versionType": "git"
},
{
"lessThan": "11f08c30a3e4157305ba692f1d44cca5fc9a8fca",
"status": "affected",
"version": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"versionType": "git"
},
{
"status": "affected",
"version": "d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()\n\nCurrently, if find_and_map_user_pages() takes a DMA xfer request from the\nuser with a length field set to 0, or in a rare case, the host receives\nQAIC_TRANS_DMA_XFER_CONT from the device where resources-\u003exferred_dma_size\nis equal to the requested transaction size, the function will return 0\nbefore allocating an sgt or setting the fields of the dma_xfer struct.\nIn that case, encode_addr_size_pairs() will try to access the sgt which\nwill lead to a general protection fault.\n\nReturn an EINVAL in case the user provides a zero-sized ALP, or the device\nrequests continuation after all of the bytes have been transferred."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:27.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48b1d42286bfef7628b1d6c8c28d4e456c90f725"
},
{
"url": "https://git.kernel.org/stable/c/551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede"
},
{
"url": "https://git.kernel.org/stable/c/1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6"
},
{
"url": "https://git.kernel.org/stable/c/11f08c30a3e4157305ba692f1d44cca5fc9a8fca"
}
],
"title": "accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40172",
"datePublished": "2025-11-12T10:53:49.245Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:27.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40055 (GCVE-0-2025-40055)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
ocfs2: fix double free in user_cluster_connect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix double free in user_cluster_connect()
user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then
the error handling frees "lc" a second time. Set "lc" to NULL on this
path to avoid a double free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 283333079d96c84baa91f0c62b5e0cbec246b7a2
(git)
Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < f992bc72f681c32a682d474a29c2135a64d4f4e5 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 827c8efa0d1afe817b90f3618afff552e88348d2 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < bfe011297ddd2d0cd64752978baaa0c04cd20573 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 694d5b401036a614f8080085a9de6f86ff0742dc (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 892f41e12c8689130d552a9eb2b77bafd26484ab (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 8f45f089337d924db24397f55697cda0e6960516 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/stack_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "283333079d96c84baa91f0c62b5e0cbec246b7a2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "f992bc72f681c32a682d474a29c2135a64d4f4e5",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "827c8efa0d1afe817b90f3618afff552e88348d2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "bfe011297ddd2d0cd64752978baaa0c04cd20573",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "694d5b401036a614f8080085a9de6f86ff0742dc",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "892f41e12c8689130d552a9eb2b77bafd26484ab",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "8f45f089337d924db24397f55697cda0e6960516",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/stack_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix double free in user_cluster_connect()\n\nuser_cluster_disconnect() frees \"conn-\u003ecc_private\" which is \"lc\" but then\nthe error handling frees \"lc\" a second time. Set \"lc\" to NULL on this\npath to avoid a double free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:03.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/283333079d96c84baa91f0c62b5e0cbec246b7a2"
},
{
"url": "https://git.kernel.org/stable/c/f992bc72f681c32a682d474a29c2135a64d4f4e5"
},
{
"url": "https://git.kernel.org/stable/c/827c8efa0d1afe817b90f3618afff552e88348d2"
},
{
"url": "https://git.kernel.org/stable/c/bfe011297ddd2d0cd64752978baaa0c04cd20573"
},
{
"url": "https://git.kernel.org/stable/c/7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2"
},
{
"url": "https://git.kernel.org/stable/c/694d5b401036a614f8080085a9de6f86ff0742dc"
},
{
"url": "https://git.kernel.org/stable/c/892f41e12c8689130d552a9eb2b77bafd26484ab"
},
{
"url": "https://git.kernel.org/stable/c/8f45f089337d924db24397f55697cda0e6960516"
}
],
"title": "ocfs2: fix double free in user_cluster_connect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40055",
"datePublished": "2025-10-28T11:48:29.665Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:17:03.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40194 (GCVE-0-2025-40194)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
The cpufreq_cpu_put() call in update_qos_request() takes place too early
because the latter subsequently calls freq_qos_update_request() that
indirectly accesses the policy object in question through the QoS request
object passed to it.
Fortunately, update_qos_request() is called under intel_pstate_driver_lock,
so this issue does not matter for changing the intel_pstate operation
mode, but it theoretically can cause a crash to occur on CPU device hot
removal (which currently can only happen in virt, but it is formally
supported nevertheless).
Address this issue by modifying update_qos_request() to drop the
reference to the policy later.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
da5c504c7aae96db68c4b38e2564a88e91842d89 , < 15ac9579ebdaf22a37d7f60b3a8efc1029732ef9
(git)
Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < bc26564bcc659beb6d977cd6eb394041ec2f2851 (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4 (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < 0a58d3e77b22b087a57831c87cafd360e144a5bd (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < 69a18ff6c60e8e113420f15355fad862cb45d38e (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3 (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < 57e4a6aadf12578b96a038373cffd54b3a58b092 (git) Affected: da5c504c7aae96db68c4b38e2564a88e91842d89 , < 69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/intel_pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15ac9579ebdaf22a37d7f60b3a8efc1029732ef9",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "bc26564bcc659beb6d977cd6eb394041ec2f2851",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "0a58d3e77b22b087a57831c87cafd360e144a5bd",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "69a18ff6c60e8e113420f15355fad862cb45d38e",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "57e4a6aadf12578b96a038373cffd54b3a58b092",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/intel_pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()\n\nThe cpufreq_cpu_put() call in update_qos_request() takes place too early\nbecause the latter subsequently calls freq_qos_update_request() that\nindirectly accesses the policy object in question through the QoS request\nobject passed to it.\n\nFortunately, update_qos_request() is called under intel_pstate_driver_lock,\nso this issue does not matter for changing the intel_pstate operation\nmode, but it theoretically can cause a crash to occur on CPU device hot\nremoval (which currently can only happen in virt, but it is formally\nsupported nevertheless).\n\nAddress this issue by modifying update_qos_request() to drop the\nreference to the policy later."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:54.506Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15ac9579ebdaf22a37d7f60b3a8efc1029732ef9"
},
{
"url": "https://git.kernel.org/stable/c/bc26564bcc659beb6d977cd6eb394041ec2f2851"
},
{
"url": "https://git.kernel.org/stable/c/ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4"
},
{
"url": "https://git.kernel.org/stable/c/0a58d3e77b22b087a57831c87cafd360e144a5bd"
},
{
"url": "https://git.kernel.org/stable/c/69a18ff6c60e8e113420f15355fad862cb45d38e"
},
{
"url": "https://git.kernel.org/stable/c/ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3"
},
{
"url": "https://git.kernel.org/stable/c/57e4a6aadf12578b96a038373cffd54b3a58b092"
},
{
"url": "https://git.kernel.org/stable/c/69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467"
}
],
"title": "cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40194",
"datePublished": "2025-11-12T21:56:32.025Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:19:54.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53641 (GCVE-0-2023-53641)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:19 – Updated: 2025-10-07 15:19
VLAI?
EPSS
Title
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
hif_dev->remain_skb is allocated and used exclusively in
ath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is
processed and subsequently freed (in error paths) only during the next
call of ath9k_hif_usb_rx_stream().
So, if the urbs are deallocated between those two calls due to the device
deinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()
is not called next time and the allocated remain_skb is leaked. Our local
Syzkaller instance was able to trigger that.
remain_skb makes sense when receiving two consecutive urbs which are
logically linked together, i.e. a specific data field from the first skb
indicates a cached skb to be allocated, memcpy'd with some data and
subsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs
deallocation supposedly makes that link irrelevant so we need to free the
cached skb in those cases.
Fix the leak by introducing a function to explicitly free remain_skb (if
it is not NULL) when the rx urbs have been deallocated. remain_skb is NULL
when it has not been allocated at all (hif_dev struct is kzalloced) or
when it has been processed in next call to ath9k_hif_usb_rx_stream().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fb9987d0f748c983bb795a86f47522313f701a08 , < 6719e3797ec52cd144c8a5ba8aaab36674800585
(git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < d9899318660791141ea6002fda5577b2c5d7386e (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 320d760a35273aa815d58b57e4fd9ba5279a3489 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 59073060fe0950c6ecbe12bdc06469dcac62128d (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 9b9356a3014123f0ce4b50d9278c1265173150ab (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < f0931fc8f4b6847c72e170d2326861c0a081d680 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 8f02d538878c9b1501f624595eb22ee4e5e0ff84 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 7654cc03eb699297130b693ec34e25f77b17c947 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6719e3797ec52cd144c8a5ba8aaab36674800585",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "d9899318660791141ea6002fda5577b2c5d7386e",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "320d760a35273aa815d58b57e4fd9ba5279a3489",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "59073060fe0950c6ecbe12bdc06469dcac62128d",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "9b9356a3014123f0ce4b50d9278c1265173150ab",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "f0931fc8f4b6847c72e170d2326861c0a081d680",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "8f02d538878c9b1501f624595eb22ee4e5e0ff84",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "7654cc03eb699297130b693ec34e25f77b17c947",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of remain_skbs\n\nhif_dev-\u003eremain_skb is allocated and used exclusively in\nath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is\nprocessed and subsequently freed (in error paths) only during the next\ncall of ath9k_hif_usb_rx_stream().\n\nSo, if the urbs are deallocated between those two calls due to the device\ndeinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()\nis not called next time and the allocated remain_skb is leaked. Our local\nSyzkaller instance was able to trigger that.\n\nremain_skb makes sense when receiving two consecutive urbs which are\nlogically linked together, i.e. a specific data field from the first skb\nindicates a cached skb to be allocated, memcpy\u0027d with some data and\nsubsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs\ndeallocation supposedly makes that link irrelevant so we need to free the\ncached skb in those cases.\n\nFix the leak by introducing a function to explicitly free remain_skb (if\nit is not NULL) when the rx urbs have been deallocated. remain_skb is NULL\nwhen it has not been allocated at all (hif_dev struct is kzalloced) or\nwhen it has been processed in next call to ath9k_hif_usb_rx_stream().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:41.028Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6719e3797ec52cd144c8a5ba8aaab36674800585"
},
{
"url": "https://git.kernel.org/stable/c/d9899318660791141ea6002fda5577b2c5d7386e"
},
{
"url": "https://git.kernel.org/stable/c/320d760a35273aa815d58b57e4fd9ba5279a3489"
},
{
"url": "https://git.kernel.org/stable/c/59073060fe0950c6ecbe12bdc06469dcac62128d"
},
{
"url": "https://git.kernel.org/stable/c/9b9356a3014123f0ce4b50d9278c1265173150ab"
},
{
"url": "https://git.kernel.org/stable/c/f0931fc8f4b6847c72e170d2326861c0a081d680"
},
{
"url": "https://git.kernel.org/stable/c/8f02d538878c9b1501f624595eb22ee4e5e0ff84"
},
{
"url": "https://git.kernel.org/stable/c/7654cc03eb699297130b693ec34e25f77b17c947"
}
],
"title": "wifi: ath9k: hif_usb: fix memory leak of remain_skbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53641",
"datePublished": "2025-10-07T15:19:41.028Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:41.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40111 (GCVE-0-2025-40111)
Vulnerability from cvelistv5 – Published: 2025-11-12 01:07 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
drm/vmwgfx: Fix Use-after-free in validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix Use-after-free in validation
Nodes stored in the validation duplicates hashtable come from an arena
allocator that is cleared at the end of vmw_execbuf_process. All nodes
are expected to be cleared in vmw_validation_drop_ht but this node escaped
because its resource was destroyed prematurely.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
64ad2abfe9a628ce79859d072704bd1ef7682044 , < 1822e5287b7dfa59d0af966756ebf1dc652b60ee
(git)
Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < fb7165e5f3b3b10721ff70553583ad12e90e447a (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 4c918f9d1ccccc0e092f43dcb2d8266f54d7340b (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 9a8eaca539708ca532747f606d231f70e684e8ca (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 867bda5d95d36f10da398fd4409e21c7002b2332 (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 655a2f29bfc21105c80bf8a7d7aafa6eca8b4496 (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < 65608e991c2d771c13404e5c7ae122ac3c3357a4 (git) Affected: 64ad2abfe9a628ce79859d072704bd1ef7682044 , < dfe1323ab3c8a4dd5625ebfdba44dc47df84512a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_validation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1822e5287b7dfa59d0af966756ebf1dc652b60ee",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "fb7165e5f3b3b10721ff70553583ad12e90e447a",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "4c918f9d1ccccc0e092f43dcb2d8266f54d7340b",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "9a8eaca539708ca532747f606d231f70e684e8ca",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "867bda5d95d36f10da398fd4409e21c7002b2332",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "655a2f29bfc21105c80bf8a7d7aafa6eca8b4496",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "65608e991c2d771c13404e5c7ae122ac3c3357a4",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "dfe1323ab3c8a4dd5625ebfdba44dc47df84512a",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_validation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix Use-after-free in validation\n\nNodes stored in the validation duplicates hashtable come from an arena\nallocator that is cleared at the end of vmw_execbuf_process. All nodes\nare expected to be cleared in vmw_validation_drop_ht but this node escaped\nbecause its resource was destroyed prematurely."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:14.678Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1822e5287b7dfa59d0af966756ebf1dc652b60ee"
},
{
"url": "https://git.kernel.org/stable/c/fb7165e5f3b3b10721ff70553583ad12e90e447a"
},
{
"url": "https://git.kernel.org/stable/c/4c918f9d1ccccc0e092f43dcb2d8266f54d7340b"
},
{
"url": "https://git.kernel.org/stable/c/9a8eaca539708ca532747f606d231f70e684e8ca"
},
{
"url": "https://git.kernel.org/stable/c/867bda5d95d36f10da398fd4409e21c7002b2332"
},
{
"url": "https://git.kernel.org/stable/c/655a2f29bfc21105c80bf8a7d7aafa6eca8b4496"
},
{
"url": "https://git.kernel.org/stable/c/65608e991c2d771c13404e5c7ae122ac3c3357a4"
},
{
"url": "https://git.kernel.org/stable/c/dfe1323ab3c8a4dd5625ebfdba44dc47df84512a"
}
],
"title": "drm/vmwgfx: Fix Use-after-free in validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40111",
"datePublished": "2025-11-12T01:07:25.203Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:14.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40204 (GCVE-0-2025-40204)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
sctp: Fix MAC comparison to be constant-time
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Fix MAC comparison to be constant-time
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b93fa8dc521d00d2d44bf034fb90e0d79b036617
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0e8b8c326c2a6de4d837b1bb034ea704f4690d77 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c05d44ec24126fc283835b68f82dba3ae985209 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed3044b9c810c5c24eb2830053fbfe5fd134c5d4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8019b3699289fce3f10b63f98601db97b8d105b0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b32ff285ff6f6f1ac1d9495787ccce8837d6405 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd91c79e4f58fbe2898dac84858033700e0e99fb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b93fa8dc521d00d2d44bf034fb90e0d79b036617",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0e8b8c326c2a6de4d837b1bb034ea704f4690d77",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c05d44ec24126fc283835b68f82dba3ae985209",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed3044b9c810c5c24eb2830053fbfe5fd134c5d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8019b3699289fce3f10b63f98601db97b8d105b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b32ff285ff6f6f1ac1d9495787ccce8837d6405",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd91c79e4f58fbe2898dac84858033700e0e99fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:07.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617"
},
{
"url": "https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77"
},
{
"url": "https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c"
},
{
"url": "https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209"
},
{
"url": "https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4"
},
{
"url": "https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0"
},
{
"url": "https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405"
},
{
"url": "https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb"
}
],
"title": "sctp: Fix MAC comparison to be constant-time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40204",
"datePublished": "2025-11-12T21:56:35.110Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:07.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40186 (GCVE-0-2025-40186)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
syzbot reported the splat below in tcp_conn_request(). [0]
If a listener is close()d while a TFO socket is being processed in
tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk
and calls inet_child_forget(), which calls tcp_disconnect() for the
TFO socket.
After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),
where reqsk_put() is called due to !reqsk->sk.
Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the
last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the
drop_and_free label causes the refcount underflow for the listener
and double-free of the reqsk.
Let's remove reqsk_fastopen_remove() in tcp_conn_request().
Note that other callers make sure tp->fastopen_rsk is not NULL.
[0]:
refcount_t: underflow; use-after-free.
WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)
Modules linked in:
CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)
Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6
RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246
RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900
RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280
RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280
R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100
R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8
FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0
Call Trace:
<IRQ>
tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)
tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)
tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)
tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)
ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)
ip6_input (net/ipv6/ip6_input.c:500)
ipv6_rcv (net/ipv6/ip6_input.c:311)
__netif_receive_skb (net/core/dev.c:6104)
process_backlog (net/core/dev.c:6456)
__napi_poll (net/core/dev.c:7506)
net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480)
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7ec092a91ff351dcde89c23e795b73a328274db6 , < e359b742eac1eac75cff4e38ee2e8cea492acd9b
(git)
Affected: a4378dedd6e07e62f2fccb17d78c9665718763d0 , < ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d (git) Affected: 33a4fdf0b4a25f8ce65380c3b0136b407ca57609 , < eb85ad5f23268d64b037bfb545cbcba3752f90c7 (git) Affected: 17d699727577814198d744d6afe54735c6b54c99 , < 643a94b0cf767325e953591c212be2eb826b9d7f (git) Affected: dfd06131107e7b699ef1e2a24ed2f7d17c917753 , < 422c1c173c39bbbae1e0eaaf8aefe40b2596233b (git) Affected: fa4749c065644af4db496b338452a69a3e5147d9 , < c11ace909e873118295e9eb22dc8c58b0b50eb32 (git) Affected: 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 , < 64dc47a13aa3d9daf7cec29b44dca8e22a6aea15 (git) Affected: 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 , < 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c (git) Affected: ae313d14b45eca7a6bb29cb9bf396d977e7d28fb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e359b742eac1eac75cff4e38ee2e8cea492acd9b",
"status": "affected",
"version": "7ec092a91ff351dcde89c23e795b73a328274db6",
"versionType": "git"
},
{
"lessThan": "ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d",
"status": "affected",
"version": "a4378dedd6e07e62f2fccb17d78c9665718763d0",
"versionType": "git"
},
{
"lessThan": "eb85ad5f23268d64b037bfb545cbcba3752f90c7",
"status": "affected",
"version": "33a4fdf0b4a25f8ce65380c3b0136b407ca57609",
"versionType": "git"
},
{
"lessThan": "643a94b0cf767325e953591c212be2eb826b9d7f",
"status": "affected",
"version": "17d699727577814198d744d6afe54735c6b54c99",
"versionType": "git"
},
{
"lessThan": "422c1c173c39bbbae1e0eaaf8aefe40b2596233b",
"status": "affected",
"version": "dfd06131107e7b699ef1e2a24ed2f7d17c917753",
"versionType": "git"
},
{
"lessThan": "c11ace909e873118295e9eb22dc8c58b0b50eb32",
"status": "affected",
"version": "fa4749c065644af4db496b338452a69a3e5147d9",
"versionType": "git"
},
{
"lessThan": "64dc47a13aa3d9daf7cec29b44dca8e22a6aea15",
"status": "affected",
"version": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"versionType": "git"
},
{
"lessThan": "2e7cbbbe3d61c63606994b7ff73c72537afe2e1c",
"status": "affected",
"version": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"versionType": "git"
},
{
"status": "affected",
"version": "ae313d14b45eca7a6bb29cb9bf396d977e7d28fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.300",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "6.1.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.6.108",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.12.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().\n\nsyzbot reported the splat below in tcp_conn_request(). [0]\n\nIf a listener is close()d while a TFO socket is being processed in\ntcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk-\u003esk\nand calls inet_child_forget(), which calls tcp_disconnect() for the\nTFO socket.\n\nAfter the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),\nwhere reqsk_put() is called due to !reqsk-\u003esk.\n\nThen, reqsk_fastopen_remove() in tcp_conn_request() decrements the\nlast req-\u003ersk_refcnt and frees reqsk, and __reqsk_free() at the\ndrop_and_free label causes the refcount underflow for the listener\nand double-free of the reqsk.\n\nLet\u0027s remove reqsk_fastopen_remove() in tcp_conn_request().\n\nNote that other callers make sure tp-\u003efastopen_rsk is not NULL.\n\n[0]:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)\nModules linked in:\nCPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:refcount_warn_saturate (lib/refcount.c:28)\nCode: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff \u003c0f\u003e 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6\nRSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246\nRAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900\nRDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280\nRBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280\nR10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100\nR13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8\nFS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)\n tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)\n tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)\n ip6_input (net/ipv6/ip6_input.c:500)\n ipv6_rcv (net/ipv6/ip6_input.c:311)\n __netif_receive_skb (net/core/dev.c:6104)\n process_backlog (net/core/dev.c:6456)\n __napi_poll (net/core/dev.c:7506)\n net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480)\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:44.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b"
},
{
"url": "https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d"
},
{
"url": "https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7"
},
{
"url": "https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f"
},
{
"url": "https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b"
},
{
"url": "https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32"
},
{
"url": "https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15"
},
{
"url": "https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c"
}
],
"title": "tcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40186",
"datePublished": "2025-11-12T21:56:29.033Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:44.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39822 (GCVE-0-2025-39822)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-09-29 06:00
VLAI?
EPSS
Title
io_uring/kbuf: fix signedness in this_len calculation
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/kbuf: fix signedness in this_len calculation
When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This can
lead to unexpected behavior if the buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4f411c068402c370c4f9a9d4950a97af97bbbb1",
"status": "affected",
"version": "ae98dbf43d755b4e111fcd086e53939bef3e9a1a",
"versionType": "git"
},
{
"lessThan": "c64eff368ac676e8540344d27a3de47e0ad90d21",
"status": "affected",
"version": "ae98dbf43d755b4e111fcd086e53939bef3e9a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: fix signedness in this_len calculation\n\nWhen importing and using buffers, buf-\u003elen is considered unsigned.\nHowever, buf-\u003elen is converted to signed int when committing. This can\nlead to unexpected behavior if the buffer is large enough to be\ninterpreted as a negative value. Make min_t calculation unsigned."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:22.299Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4f411c068402c370c4f9a9d4950a97af97bbbb1"
},
{
"url": "https://git.kernel.org/stable/c/c64eff368ac676e8540344d27a3de47e0ad90d21"
}
],
"title": "io_uring/kbuf: fix signedness in this_len calculation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39822",
"datePublished": "2025-09-16T13:00:21.533Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-09-29T06:00:22.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40169 (GCVE-0-2025-40169)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
bpf: Reject negative offsets for ALU ops
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject negative offsets for ALU ops
When verifying BPF programs, the check_alu_op() function validates
instructions with ALU operations. The 'offset' field in these
instructions is a signed 16-bit integer.
The existing check 'insn->off > 1' was intended to ensure the offset is
either 0, or 1 for BPF_MOD/BPF_DIV. However, because 'insn->off' is
signed, this check incorrectly accepts all negative values (e.g., -1).
This commit tightens the validation by changing the condition to
'(insn->off != 0 && insn->off != 1)'. This ensures that any value
other than the explicitly permitted 0 and 1 is rejected, hardening the
verifier against malformed BPF programs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec0e2da95f72d4a46050a4d994e4fe471474fd80 , < 3bce44b344040e5eef3d64d38b157c15304c0aab
(git)
Affected: ec0e2da95f72d4a46050a4d994e4fe471474fd80 , < 5017c302ca4b2a45149ad64e058fa2d5623c068f (git) Affected: ec0e2da95f72d4a46050a4d994e4fe471474fd80 , < 21167bf70dbe400563e189ac632258d35eda38b5 (git) Affected: ec0e2da95f72d4a46050a4d994e4fe471474fd80 , < 55c0ced59fe17dee34e9dfd5f7be63cbab207758 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3bce44b344040e5eef3d64d38b157c15304c0aab",
"status": "affected",
"version": "ec0e2da95f72d4a46050a4d994e4fe471474fd80",
"versionType": "git"
},
{
"lessThan": "5017c302ca4b2a45149ad64e058fa2d5623c068f",
"status": "affected",
"version": "ec0e2da95f72d4a46050a4d994e4fe471474fd80",
"versionType": "git"
},
{
"lessThan": "21167bf70dbe400563e189ac632258d35eda38b5",
"status": "affected",
"version": "ec0e2da95f72d4a46050a4d994e4fe471474fd80",
"versionType": "git"
},
{
"lessThan": "55c0ced59fe17dee34e9dfd5f7be63cbab207758",
"status": "affected",
"version": "ec0e2da95f72d4a46050a4d994e4fe471474fd80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject negative offsets for ALU ops\n\nWhen verifying BPF programs, the check_alu_op() function validates\ninstructions with ALU operations. The \u0027offset\u0027 field in these\ninstructions is a signed 16-bit integer.\n\nThe existing check \u0027insn-\u003eoff \u003e 1\u0027 was intended to ensure the offset is\neither 0, or 1 for BPF_MOD/BPF_DIV. However, because \u0027insn-\u003eoff\u0027 is\nsigned, this check incorrectly accepts all negative values (e.g., -1).\n\nThis commit tightens the validation by changing the condition to\n\u0027(insn-\u003eoff != 0 \u0026\u0026 insn-\u003eoff != 1)\u0027. This ensures that any value\nother than the explicitly permitted 0 and 1 is rejected, hardening the\nverifier against malformed BPF programs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:23.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3bce44b344040e5eef3d64d38b157c15304c0aab"
},
{
"url": "https://git.kernel.org/stable/c/5017c302ca4b2a45149ad64e058fa2d5623c068f"
},
{
"url": "https://git.kernel.org/stable/c/21167bf70dbe400563e189ac632258d35eda38b5"
},
{
"url": "https://git.kernel.org/stable/c/55c0ced59fe17dee34e9dfd5f7be63cbab207758"
}
],
"title": "bpf: Reject negative offsets for ALU ops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40169",
"datePublished": "2025-11-12T10:46:51.736Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:23.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40001 (GCVE-0-2025-40001)
Vulnerability from cvelistv5 – Published: 2025-10-18 08:03 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
During the detaching of Marvell's SAS/SATA controller, the original code
calls cancel_delayed_work() in mvs_free() to cancel the delayed work
item mwq->work_q. However, if mwq->work_q is already running, the
cancel_delayed_work() may fail to cancel it. This can lead to
use-after-free scenarios where mvs_free() frees the mvs_info while
mvs_work_queue() is still executing and attempts to access the
already-freed mvs_info.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
mvs_pci_remove() |
mvs_free() | mvs_work_queue()
cancel_delayed_work() |
kfree(mvi) |
| mvi-> // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing
delayed work item completes before the mvs_info is deallocated.
This bug was found by static analysis.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
20b09c2992fefbe78f8cede7b404fb143a413c52 , < a6f68f219d4d4b92d7c781708d4afc4cc42961ec
(git)
Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < aacd1777d4a795c387a20b9ca776e2c1225d05d7 (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < 6ba7e73cafd155a5d3abf560d315f0bab2b9d89f (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < c2c35cb2a31844f84f21ab364b38b4309d756d42 (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < 3c90f583d679c81a5a607a6ae0051251b6dee35b (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < 00d3af40b158ebf7c7db2b3bbb1598a54bf28127 (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < feb946d2fc9dc754bf3d594d42cd228860ff8647 (git) Affected: 20b09c2992fefbe78f8cede7b404fb143a413c52 , < 60cd16a3b7439ccb699d0bf533799eeb894fd217 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mvsas/mv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6f68f219d4d4b92d7c781708d4afc4cc42961ec",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "aacd1777d4a795c387a20b9ca776e2c1225d05d7",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "6ba7e73cafd155a5d3abf560d315f0bab2b9d89f",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "c2c35cb2a31844f84f21ab364b38b4309d756d42",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "3c90f583d679c81a5a607a6ae0051251b6dee35b",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "00d3af40b158ebf7c7db2b3bbb1598a54bf28127",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "feb946d2fc9dc754bf3d594d42cd228860ff8647",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "60cd16a3b7439ccb699d0bf533799eeb894fd217",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mvsas/mv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mvsas: Fix use-after-free bugs in mvs_work_queue\n\nDuring the detaching of Marvell\u0027s SAS/SATA controller, the original code\ncalls cancel_delayed_work() in mvs_free() to cancel the delayed work\nitem mwq-\u003ework_q. However, if mwq-\u003ework_q is already running, the\ncancel_delayed_work() may fail to cancel it. This can lead to\nuse-after-free scenarios where mvs_free() frees the mvs_info while\nmvs_work_queue() is still executing and attempts to access the\nalready-freed mvs_info.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nmvs_pci_remove() |\n mvs_free() | mvs_work_queue()\n cancel_delayed_work() |\n kfree(mvi) |\n | mvi-\u003e // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing\ndelayed work item completes before the mvs_info is deallocated.\n\nThis bug was found by static analysis."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:13.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6f68f219d4d4b92d7c781708d4afc4cc42961ec"
},
{
"url": "https://git.kernel.org/stable/c/aacd1777d4a795c387a20b9ca776e2c1225d05d7"
},
{
"url": "https://git.kernel.org/stable/c/6ba7e73cafd155a5d3abf560d315f0bab2b9d89f"
},
{
"url": "https://git.kernel.org/stable/c/c2c35cb2a31844f84f21ab364b38b4309d756d42"
},
{
"url": "https://git.kernel.org/stable/c/3c90f583d679c81a5a607a6ae0051251b6dee35b"
},
{
"url": "https://git.kernel.org/stable/c/00d3af40b158ebf7c7db2b3bbb1598a54bf28127"
},
{
"url": "https://git.kernel.org/stable/c/feb946d2fc9dc754bf3d594d42cd228860ff8647"
},
{
"url": "https://git.kernel.org/stable/c/60cd16a3b7439ccb699d0bf533799eeb894fd217"
}
],
"title": "scsi: mvsas: Fix use-after-free bugs in mvs_work_queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40001",
"datePublished": "2025-10-18T08:03:21.935Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:13.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40116 (GCVE-0-2025-40116)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
The kthread_run() function returns error pointers so the
max3421_hcd->spi_thread pointer can be either error pointers or NULL.
Check for both before dereferencing it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < 89838fe5c6c010ff8d3924f22afd9c18c5c95310
(git)
Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < 3facf69a735e730ae36387f18780fe420708aa91 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < e0e0ce06f3571be9b26790e4df56ba37b1de8543 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < 3723c3dda1cc82c9bbca08fcbd46705a361bfd56 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < b0439e3762ac9ea580f714e1504a1827d1ad32f5 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < b682ce44bf20ada752a2f6ce70d5a575c56f6a35 (git) Affected: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 , < 186e8f2bdba551f3ae23396caccd452d985c23e3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/max3421-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89838fe5c6c010ff8d3924f22afd9c18c5c95310",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "3facf69a735e730ae36387f18780fe420708aa91",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "e0e0ce06f3571be9b26790e4df56ba37b1de8543",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "3723c3dda1cc82c9bbca08fcbd46705a361bfd56",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "b0439e3762ac9ea580f714e1504a1827d1ad32f5",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "b682ce44bf20ada752a2f6ce70d5a575c56f6a35",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "186e8f2bdba551f3ae23396caccd452d985c23e3",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/max3421-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: max3421-hcd: Fix error pointer dereference in probe cleanup\n\nThe kthread_run() function returns error pointers so the\nmax3421_hcd-\u003espi_thread pointer can be either error pointers or NULL.\nCheck for both before dereferencing it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:19.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89838fe5c6c010ff8d3924f22afd9c18c5c95310"
},
{
"url": "https://git.kernel.org/stable/c/3facf69a735e730ae36387f18780fe420708aa91"
},
{
"url": "https://git.kernel.org/stable/c/e0e0ce06f3571be9b26790e4df56ba37b1de8543"
},
{
"url": "https://git.kernel.org/stable/c/3723c3dda1cc82c9bbca08fcbd46705a361bfd56"
},
{
"url": "https://git.kernel.org/stable/c/b0439e3762ac9ea580f714e1504a1827d1ad32f5"
},
{
"url": "https://git.kernel.org/stable/c/e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc"
},
{
"url": "https://git.kernel.org/stable/c/b682ce44bf20ada752a2f6ce70d5a575c56f6a35"
},
{
"url": "https://git.kernel.org/stable/c/186e8f2bdba551f3ae23396caccd452d985c23e3"
}
],
"title": "usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40116",
"datePublished": "2025-11-12T10:23:17.569Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:19.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40047 (GCVE-0-2025-40047)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
For a successful return, always remove our entry from the wait queue
entry list. Previously this was skipped if a cancelation was in
progress, but this can race with another invocation of the wait queue
entry callback.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f31ecf671ddc498f20219453395794ff2383e06b , < 696ba6032081e617564a8113a001b8d7943cb928
(git)
Affected: f31ecf671ddc498f20219453395794ff2383e06b , < 3e2205db2f0608898d535da1964e1b376aacfdaa (git) Affected: f31ecf671ddc498f20219453395794ff2383e06b , < 2f8229d53d984c6a05b71ac9e9583d4354e3b91f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/waitid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "696ba6032081e617564a8113a001b8d7943cb928",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "3e2205db2f0608898d535da1964e1b376aacfdaa",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "2f8229d53d984c6a05b71ac9e9583d4354e3b91f",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/waitid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/waitid: always prune wait queue entry in io_waitid_wait()\n\nFor a successful return, always remove our entry from the wait queue\nentry list. Previously this was skipped if a cancelation was in\nprogress, but this can race with another invocation of the wait queue\nentry callback."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:52.611Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/696ba6032081e617564a8113a001b8d7943cb928"
},
{
"url": "https://git.kernel.org/stable/c/3e2205db2f0608898d535da1964e1b376aacfdaa"
},
{
"url": "https://git.kernel.org/stable/c/2f8229d53d984c6a05b71ac9e9583d4354e3b91f"
}
],
"title": "io_uring/waitid: always prune wait queue entry in io_waitid_wait()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40047",
"datePublished": "2025-10-28T11:48:24.625Z",
"dateReserved": "2025-04-16T07:20:57.156Z",
"dateUpdated": "2025-12-01T06:16:52.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40154 (GCVE-0-2025-40154)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver only shows an error message but leaves as is.
This may lead to unepxected results like OOB access.
This patch corrects the input mapping to the certain default value if
an invalid value is passed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
063422ca2a9de238401c3848c1b3641c07b6316c , < 2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01
(git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < dea9c8c9028c9374761224a7f9d824e845a2aa2e (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < f58fca15f3bf8b982e799c31e4afa8923788aa40 (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 29a41bf6422688f0c5a09b18222e1a64b2629fa4 (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 5c03ea2ef4ebba75c69c90929d8590eb3d3797a9 (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 48880f3cdf2b6d8dcd91219c5b5c8a7526411322 (git) Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5640.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "dea9c8c9028c9374761224a7f9d824e845a2aa2e",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "f58fca15f3bf8b982e799c31e4afa8923788aa40",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "29a41bf6422688f0c5a09b18222e1a64b2629fa4",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "5c03ea2ef4ebba75c69c90929d8590eb3d3797a9",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "48880f3cdf2b6d8dcd91219c5b5c8a7526411322",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5640.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver only shows an error message but leaves as is.\nThis may lead to unepxected results like OOB access.\n\nThis patch corrects the input mapping to the certain default value if\nan invalid value is passed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:04.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01"
},
{
"url": "https://git.kernel.org/stable/c/a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d"
},
{
"url": "https://git.kernel.org/stable/c/dea9c8c9028c9374761224a7f9d824e845a2aa2e"
},
{
"url": "https://git.kernel.org/stable/c/f58fca15f3bf8b982e799c31e4afa8923788aa40"
},
{
"url": "https://git.kernel.org/stable/c/29a41bf6422688f0c5a09b18222e1a64b2629fa4"
},
{
"url": "https://git.kernel.org/stable/c/5c03ea2ef4ebba75c69c90929d8590eb3d3797a9"
},
{
"url": "https://git.kernel.org/stable/c/48880f3cdf2b6d8dcd91219c5b5c8a7526411322"
},
{
"url": "https://git.kernel.org/stable/c/fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0"
}
],
"title": "ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40154",
"datePublished": "2025-11-12T10:23:28.470Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:04.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38360 (GCVE-0-2025-38360)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:47 – Updated: 2025-07-28 11:16
VLAI?
EPSS
Title
drm/amd/display: Add more checks for DSC / HUBP ONO guarantees
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add more checks for DSC / HUBP ONO guarantees
[WHY]
For non-zero DSC instances it's possible that the HUBP domain required
to drive it for sequential ONO ASICs isn't met, potentially causing
the logic to the tile to enter an undefined state leading to a system
hang.
[HOW]
Add more checks to ensure that the HUBP domain matching the DSC instance
is appropriately powered.
(cherry picked from commit da63df07112e5a9857a8d2aaa04255c4206754ec)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6f8b7565cca4b745da54b7d5f26b7b9265a5f330 , < 646442758910d13f9afc57f38bc0a537c3575390
(git)
Affected: 6f8b7565cca4b745da54b7d5f26b7b9265a5f330 , < 3f4e601bc6765e4ff5f42cc2d00993c86b367f7e (git) Affected: 6f8b7565cca4b745da54b7d5f26b7b9265a5f330 , < 0d57dd1765d311111d9885346108c4deeae1deb4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "646442758910d13f9afc57f38bc0a537c3575390",
"status": "affected",
"version": "6f8b7565cca4b745da54b7d5f26b7b9265a5f330",
"versionType": "git"
},
{
"lessThan": "3f4e601bc6765e4ff5f42cc2d00993c86b367f7e",
"status": "affected",
"version": "6f8b7565cca4b745da54b7d5f26b7b9265a5f330",
"versionType": "git"
},
{
"lessThan": "0d57dd1765d311111d9885346108c4deeae1deb4",
"status": "affected",
"version": "6f8b7565cca4b745da54b7d5f26b7b9265a5f330",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add more checks for DSC / HUBP ONO guarantees\n\n[WHY]\nFor non-zero DSC instances it\u0027s possible that the HUBP domain required\nto drive it for sequential ONO ASICs isn\u0027t met, potentially causing\nthe logic to the tile to enter an undefined state leading to a system\nhang.\n\n[HOW]\nAdd more checks to ensure that the HUBP domain matching the DSC instance\nis appropriately powered.\n\n(cherry picked from commit da63df07112e5a9857a8d2aaa04255c4206754ec)"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T11:16:46.594Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/646442758910d13f9afc57f38bc0a537c3575390"
},
{
"url": "https://git.kernel.org/stable/c/3f4e601bc6765e4ff5f42cc2d00993c86b367f7e"
},
{
"url": "https://git.kernel.org/stable/c/0d57dd1765d311111d9885346108c4deeae1deb4"
}
],
"title": "drm/amd/display: Add more checks for DSC / HUBP ONO guarantees",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38360",
"datePublished": "2025-07-25T12:47:31.397Z",
"dateReserved": "2025-04-16T04:51:24.007Z",
"dateUpdated": "2025-07-28T11:16:46.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40200 (GCVE-0-2025-40200)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
Squashfs: reject negative file sizes in squashfs_read_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: reject negative file sizes in squashfs_read_inode()
Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.
This commit checks for a negative file size and returns EINVAL.
[phillip@squashfs.org.uk: only need to check 64 bit quantity]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 54170057a5fadd24a37b70de41e61d39284d9bd7
(git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 2871c74caa3f4f05b429e6bfefebac62dbf1b408 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < fbfc745db628de31f5c089147deeb87e95b89e66 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 8118f66124895829443d09c207e654adcb2f9321 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 8c7aad76751816207fee556d44aa88a710824810 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 875fb3f87ae0225b881319ba016a1a8c4ffd5812 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < f271155ff31aca8ef82c61c8df23ca97e9a77dd4 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54170057a5fadd24a37b70de41e61d39284d9bd7",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "2871c74caa3f4f05b429e6bfefebac62dbf1b408",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "fbfc745db628de31f5c089147deeb87e95b89e66",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8118f66124895829443d09c207e654adcb2f9321",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8c7aad76751816207fee556d44aa88a710824810",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "875fb3f87ae0225b881319ba016a1a8c4ffd5812",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "f271155ff31aca8ef82c61c8df23ca97e9a77dd4",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: reject negative file sizes in squashfs_read_inode()\n\nSyskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs.\n\nThis warning is ultimately caused because the underlying Squashfs file\nsystem returns a file with a negative file size.\n\nThis commit checks for a negative file size and returns EINVAL.\n\n[phillip@squashfs.org.uk: only need to check 64 bit quantity]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:02.406Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54170057a5fadd24a37b70de41e61d39284d9bd7"
},
{
"url": "https://git.kernel.org/stable/c/2871c74caa3f4f05b429e6bfefebac62dbf1b408"
},
{
"url": "https://git.kernel.org/stable/c/fbfc745db628de31f5c089147deeb87e95b89e66"
},
{
"url": "https://git.kernel.org/stable/c/8118f66124895829443d09c207e654adcb2f9321"
},
{
"url": "https://git.kernel.org/stable/c/8c7aad76751816207fee556d44aa88a710824810"
},
{
"url": "https://git.kernel.org/stable/c/875fb3f87ae0225b881319ba016a1a8c4ffd5812"
},
{
"url": "https://git.kernel.org/stable/c/f271155ff31aca8ef82c61c8df23ca97e9a77dd4"
},
{
"url": "https://git.kernel.org/stable/c/9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b"
}
],
"title": "Squashfs: reject negative file sizes in squashfs_read_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40200",
"datePublished": "2025-11-12T21:56:33.783Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:20:02.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50551 (GCVE-0-2022-50551)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2025-12-23 13:29
VLAI?
EPSS
Title
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
This patch fixes a shift-out-of-bounds in brcmfmac that occurs in
BIT(chiprev) when a 'chiprev' provided by the device is too large.
It should also not be equal to or greater than BITS_PER_TYPE(u32)
as we do bitwise AND with a u32 variable and BIT(chiprev). The patch
adds a check that makes the function return NULL if that is the case.
Note that the NULL case is later handled by the bus-specific caller,
brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.
Found by a modified version of syzkaller.
UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
shift exponent 151055786 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
ubsan_epilogue+0x5/0x40
__ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb
? lock_chain_count+0x20/0x20
brcmf_fw_alloc_request.cold+0x19/0x3ea
? brcmf_fw_get_firmwares+0x250/0x250
? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0
brcmf_usb_get_fwname+0x114/0x1a0
? brcmf_usb_reset_resume+0x120/0x120
? number+0x6c4/0x9a0
brcmf_c_process_clm_blob+0x168/0x590
? put_dec+0x90/0x90
? enable_ptr_key_workfn+0x20/0x20
? brcmf_common_pd_remove+0x50/0x50
? rcu_read_lock_sched_held+0xa1/0xd0
brcmf_c_preinit_dcmds+0x673/0xc40
? brcmf_c_set_joinpref_default+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lock_acquire+0x19d/0x4e0
? find_held_lock+0x2d/0x110
? brcmf_usb_deq+0x1cc/0x260
? mark_held_locks+0x9f/0xe0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? _raw_spin_unlock_irqrestore+0x47/0x50
? trace_hardirqs_on+0x1c/0x120
? brcmf_usb_deq+0x1a7/0x260
? brcmf_usb_rx_fill_all+0x5a/0xf0
brcmf_attach+0x246/0xd40
? wiphy_new_nm+0x1476/0x1d50
? kmemdup+0x30/0x40
brcmf_usb_probe+0x12de/0x1690
? brcmf_usbdev_qinit.constprop.0+0x470/0x470
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
? usb_match_id.part.0+0x88/0xc0
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __mutex_unlock_slowpath+0xe7/0x660
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_set_configuration+0x984/0x1770
? kernfs_create_link+0x175/0x230
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_new_device.cold+0x463/0xf66
? hub_disconnect+0x400/0x400
? _raw_spin_unlock_irq+0x24/0x30
hub_event+0x10d5/0x3330
? hub_port_debounce+0x280/0x280
? __lock_acquire+0x1671/0x5790
? wq_calc_node_cpumask+0x170/0x2a0
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x873/0x13e0
? lock_release+0x640/0x640
? pwq_dec_nr_in_flight+0x320/0x320
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x8b/0xd10
? __kthread_parkme+0xd9/0x1d0
? pr
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
46d703a775394e4724509ff55cdda41d228c028c , < 1db036d13e10809943c2dce553e2fa7fc9c6cd80
(git)
Affected: 46d703a775394e4724509ff55cdda41d228c028c , < bc45aa1911bf699b9905f12414e3c1879d6b784f (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 4c8fc44c44b97854623c56363c359f711fc0b887 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 9d2f70fa2c7cc6c73a420ff15682454782d3d6f6 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 5b06a8a25eba07628313aa3c5496522eff97be53 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 87792567d9ed93fd336d2c3b8d7870f44e141e6d (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 0b12d2aa264bac35bff9b5399bb162262b2b8949 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 579c9b9838e8a73f6e93ddece07972c241514dcc (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < ffb589963df103caaf062081a32db0b9e1798660 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 81d17f6f3331f03c8eafdacea68ab773426c1e3c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1db036d13e10809943c2dce553e2fa7fc9c6cd80",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "bc45aa1911bf699b9905f12414e3c1879d6b784f",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "4c8fc44c44b97854623c56363c359f711fc0b887",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "9d2f70fa2c7cc6c73a420ff15682454782d3d6f6",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "5b06a8a25eba07628313aa3c5496522eff97be53",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "87792567d9ed93fd336d2c3b8d7870f44e141e6d",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "0b12d2aa264bac35bff9b5399bb162262b2b8949",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "579c9b9838e8a73f6e93ddece07972c241514dcc",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "ffb589963df103caaf062081a32db0b9e1798660",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "81d17f6f3331f03c8eafdacea68ab773426c1e3c",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()\n\nThis patch fixes a shift-out-of-bounds in brcmfmac that occurs in\nBIT(chiprev) when a \u0027chiprev\u0027 provided by the device is too large.\nIt should also not be equal to or greater than BITS_PER_TYPE(u32)\nas we do bitwise AND with a u32 variable and BIT(chiprev). The patch\nadds a check that makes the function return NULL if that is the case.\nNote that the NULL case is later handled by the bus-specific caller,\nbrcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.\n\nFound by a modified version of syzkaller.\n\nUBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c\nshift exponent 151055786 is too large for 64-bit type \u0027long unsigned int\u0027\nCPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb\n ? lock_chain_count+0x20/0x20\n brcmf_fw_alloc_request.cold+0x19/0x3ea\n ? brcmf_fw_get_firmwares+0x250/0x250\n ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0\n brcmf_usb_get_fwname+0x114/0x1a0\n ? brcmf_usb_reset_resume+0x120/0x120\n ? number+0x6c4/0x9a0\n brcmf_c_process_clm_blob+0x168/0x590\n ? put_dec+0x90/0x90\n ? enable_ptr_key_workfn+0x20/0x20\n ? brcmf_common_pd_remove+0x50/0x50\n ? rcu_read_lock_sched_held+0xa1/0xd0\n brcmf_c_preinit_dcmds+0x673/0xc40\n ? brcmf_c_set_joinpref_default+0x100/0x100\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lock_acquire+0x19d/0x4e0\n ? find_held_lock+0x2d/0x110\n ? brcmf_usb_deq+0x1cc/0x260\n ? mark_held_locks+0x9f/0xe0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? _raw_spin_unlock_irqrestore+0x47/0x50\n ? trace_hardirqs_on+0x1c/0x120\n ? brcmf_usb_deq+0x1a7/0x260\n ? brcmf_usb_rx_fill_all+0x5a/0xf0\n brcmf_attach+0x246/0xd40\n ? wiphy_new_nm+0x1476/0x1d50\n ? kmemdup+0x30/0x40\n brcmf_usb_probe+0x12de/0x1690\n ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n ? usb_match_id.part.0+0x88/0xc0\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __mutex_unlock_slowpath+0xe7/0x660\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_set_configuration+0x984/0x1770\n ? kernfs_create_link+0x175/0x230\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_new_device.cold+0x463/0xf66\n ? hub_disconnect+0x400/0x400\n ? _raw_spin_unlock_irq+0x24/0x30\n hub_event+0x10d5/0x3330\n ? hub_port_debounce+0x280/0x280\n ? __lock_acquire+0x1671/0x5790\n ? wq_calc_node_cpumask+0x170/0x2a0\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x873/0x13e0\n ? lock_release+0x640/0x640\n ? pwq_dec_nr_in_flight+0x320/0x320\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x8b/0xd10\n ? __kthread_parkme+0xd9/0x1d0\n ? pr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:29:53.692Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1db036d13e10809943c2dce553e2fa7fc9c6cd80"
},
{
"url": "https://git.kernel.org/stable/c/bc45aa1911bf699b9905f12414e3c1879d6b784f"
},
{
"url": "https://git.kernel.org/stable/c/4c8fc44c44b97854623c56363c359f711fc0b887"
},
{
"url": "https://git.kernel.org/stable/c/9d2f70fa2c7cc6c73a420ff15682454782d3d6f6"
},
{
"url": "https://git.kernel.org/stable/c/5b06a8a25eba07628313aa3c5496522eff97be53"
},
{
"url": "https://git.kernel.org/stable/c/87792567d9ed93fd336d2c3b8d7870f44e141e6d"
},
{
"url": "https://git.kernel.org/stable/c/0b12d2aa264bac35bff9b5399bb162262b2b8949"
},
{
"url": "https://git.kernel.org/stable/c/579c9b9838e8a73f6e93ddece07972c241514dcc"
},
{
"url": "https://git.kernel.org/stable/c/ffb589963df103caaf062081a32db0b9e1798660"
},
{
"url": "https://git.kernel.org/stable/c/81d17f6f3331f03c8eafdacea68ab773426c1e3c"
}
],
"title": "wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50551",
"datePublished": "2025-10-07T15:21:13.391Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-12-23T13:29:53.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50494 (GCVE-0-2022-50494)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:43 – Updated: 2025-12-23 13:29
VLAI?
EPSS
Title
thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
When CPU 0 is offline and intel_powerclamp is used to inject
idle, it generates kernel BUG:
BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687
caller is debug_smp_processor_id+0x17/0x20
CPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57
Call Trace:
<TASK>
dump_stack_lvl+0x49/0x63
dump_stack+0x10/0x16
check_preemption_disabled+0xdd/0xe0
debug_smp_processor_id+0x17/0x20
powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]
...
...
Here CPU 0 is the control CPU by default and changed to the current CPU,
if CPU 0 offlined. This check has to be performed under cpus_read_lock(),
hence the above warning.
Use get_cpu() instead of smp_processor_id() to avoid this BUG.
[ rjw: Subject edits ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 3e799e815097febbcb81b472285be824f5d089f9
(git)
Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 0f91f66c568b316b19cb042cf50584467b3bdff4 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 6904727db0eb62fb0c2dce1cf331c341d97ee4b7 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 5a646c38f648185ee2c62f2a19da3c6f04e27612 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 513943bf879d45005213e6f5cfb7d9e9943f589f (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 5614908434451aafbf9b24cb5247cf1d21269f76 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 6e2a347b304224b2aeb1c0ea000d1cf8a02cc592 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 418fae0700e85a498062424f8656435c32cdb200 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 68b99e94a4a2db6ba9b31fe0485e057b9354a640 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/intel_powerclamp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e799e815097febbcb81b472285be824f5d089f9",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "0f91f66c568b316b19cb042cf50584467b3bdff4",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "6904727db0eb62fb0c2dce1cf331c341d97ee4b7",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "5a646c38f648185ee2c62f2a19da3c6f04e27612",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "513943bf879d45005213e6f5cfb7d9e9943f589f",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "5614908434451aafbf9b24cb5247cf1d21269f76",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "6e2a347b304224b2aeb1c0ea000d1cf8a02cc592",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "418fae0700e85a498062424f8656435c32cdb200",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "68b99e94a4a2db6ba9b31fe0485e057b9354a640",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/intel_powerclamp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash\n\nWhen CPU 0 is offline and intel_powerclamp is used to inject\nidle, it generates kernel BUG:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: bash/15687\ncaller is debug_smp_processor_id+0x17/0x20\nCPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\ncheck_preemption_disabled+0xdd/0xe0\ndebug_smp_processor_id+0x17/0x20\npowerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]\n...\n...\n\nHere CPU 0 is the control CPU by default and changed to the current CPU,\nif CPU 0 offlined. This check has to be performed under cpus_read_lock(),\nhence the above warning.\n\nUse get_cpu() instead of smp_processor_id() to avoid this BUG.\n\n[ rjw: Subject edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:29:40.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e799e815097febbcb81b472285be824f5d089f9"
},
{
"url": "https://git.kernel.org/stable/c/0f91f66c568b316b19cb042cf50584467b3bdff4"
},
{
"url": "https://git.kernel.org/stable/c/6904727db0eb62fb0c2dce1cf331c341d97ee4b7"
},
{
"url": "https://git.kernel.org/stable/c/5a646c38f648185ee2c62f2a19da3c6f04e27612"
},
{
"url": "https://git.kernel.org/stable/c/513943bf879d45005213e6f5cfb7d9e9943f589f"
},
{
"url": "https://git.kernel.org/stable/c/5614908434451aafbf9b24cb5247cf1d21269f76"
},
{
"url": "https://git.kernel.org/stable/c/6e2a347b304224b2aeb1c0ea000d1cf8a02cc592"
},
{
"url": "https://git.kernel.org/stable/c/418fae0700e85a498062424f8656435c32cdb200"
},
{
"url": "https://git.kernel.org/stable/c/68b99e94a4a2db6ba9b31fe0485e057b9354a640"
}
],
"title": "thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50494",
"datePublished": "2025-10-04T15:43:46.562Z",
"dateReserved": "2025-10-04T15:39:19.464Z",
"dateUpdated": "2025-12-23T13:29:40.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53597 (GCVE-0-2023-53597)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:44 – Updated: 2025-10-04 15:44
VLAI?
EPSS
Title
cifs: fix mid leak during reconnection after timeout threshold
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix mid leak during reconnection after timeout threshold
When the number of responses with status of STATUS_IO_TIMEOUT
exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect
the connection. But we do not return the mid, or the credits
returned for the mid, or reduce the number of in-flight requests.
This bug could result in the server->in_flight count to go bad,
and also cause a leak in the mids.
This change moves the check to a few lines below where the
response is decrypted, even of the response is read from the
transform header. This way, the code for returning the mids
can be reused.
Also, the cifs_reconnect was reconnecting just the transport
connection before. In case of multi-channel, this may not be
what we want to do after several timeouts. Changed that to
reconnect the session and the tree too.
Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name
MAX_STATUS_IO_TIMEOUT.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8e670f77c4a55013db6d23b962f9bf6673a5e7b6 , < df31d05f0678cdd0796ea19983a2b93edca18bb0
(git)
Affected: 8e670f77c4a55013db6d23b962f9bf6673a5e7b6 , < c55901d381a22300c9922170e59704059f50977b (git) Affected: 8e670f77c4a55013db6d23b962f9bf6673a5e7b6 , < 57d25e9905c71133e201f6d06b56a3403d4ad433 (git) Affected: 8e670f77c4a55013db6d23b962f9bf6673a5e7b6 , < 69cba9d3c1284e0838ae408830a02c4a063104bc (git) Affected: fa6d7a5853f93efb088aba36af12cb1944156411 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df31d05f0678cdd0796ea19983a2b93edca18bb0",
"status": "affected",
"version": "8e670f77c4a55013db6d23b962f9bf6673a5e7b6",
"versionType": "git"
},
{
"lessThan": "c55901d381a22300c9922170e59704059f50977b",
"status": "affected",
"version": "8e670f77c4a55013db6d23b962f9bf6673a5e7b6",
"versionType": "git"
},
{
"lessThan": "57d25e9905c71133e201f6d06b56a3403d4ad433",
"status": "affected",
"version": "8e670f77c4a55013db6d23b962f9bf6673a5e7b6",
"versionType": "git"
},
{
"lessThan": "69cba9d3c1284e0838ae408830a02c4a063104bc",
"status": "affected",
"version": "8e670f77c4a55013db6d23b962f9bf6673a5e7b6",
"versionType": "git"
},
{
"status": "affected",
"version": "fa6d7a5853f93efb088aba36af12cb1944156411",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix mid leak during reconnection after timeout threshold\n\nWhen the number of responses with status of STATUS_IO_TIMEOUT\nexceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect\nthe connection. But we do not return the mid, or the credits\nreturned for the mid, or reduce the number of in-flight requests.\n\nThis bug could result in the server-\u003ein_flight count to go bad,\nand also cause a leak in the mids.\n\nThis change moves the check to a few lines below where the\nresponse is decrypted, even of the response is read from the\ntransform header. This way, the code for returning the mids\ncan be reused.\n\nAlso, the cifs_reconnect was reconnecting just the transport\nconnection before. In case of multi-channel, this may not be\nwhat we want to do after several timeouts. Changed that to\nreconnect the session and the tree too.\n\nAlso renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name\nMAX_STATUS_IO_TIMEOUT."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:09.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df31d05f0678cdd0796ea19983a2b93edca18bb0"
},
{
"url": "https://git.kernel.org/stable/c/c55901d381a22300c9922170e59704059f50977b"
},
{
"url": "https://git.kernel.org/stable/c/57d25e9905c71133e201f6d06b56a3403d4ad433"
},
{
"url": "https://git.kernel.org/stable/c/69cba9d3c1284e0838ae408830a02c4a063104bc"
}
],
"title": "cifs: fix mid leak during reconnection after timeout threshold",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53597",
"datePublished": "2025-10-04T15:44:09.616Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-04T15:44:09.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40074 (GCVE-0-2025-40074)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
ipv4: start using dst_dev_rcu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: start using dst_dev_rcu()
Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.
Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),
ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c",
"net/ipv4/ip_fragment.c",
"net/ipv4/ipmr.c",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "923e0734c386984d45de508528a7a7ad91d791cc",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c",
"net/ipv4/ip_fragment.c",
"net/ipv4/ipmr.c",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: start using dst_dev_rcu()\n\nChange icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.\n\nChange ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),\nipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:30.009Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/923e0734c386984d45de508528a7a7ad91d791cc"
},
{
"url": "https://git.kernel.org/stable/c/6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8"
}
],
"title": "ipv4: start using dst_dev_rcu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40074",
"datePublished": "2025-10-28T11:48:41.202Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-01T06:17:30.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40198 (GCVE-0-2025-40198)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Unlike other strings in the ext4 superblock, we rely on tune2fs to
make sure s_mount_opts is NUL terminated. Harden
parse_apply_sb_mount_options() by treating s_mount_opts as a potential
__nonstring.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 7bf46ff83a0ef11836e38ebd72cdc5107209342d
(git)
Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < b2bac84fde28fb6a88817b8b761abda17a1d300b (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < e651294218d2684302ee5ed95ccf381646f3e5b4 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 01829af7656b56d83682b3491265d583d502e502 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 2a0cf438320cdb783e0378570744c0ef0d83e934 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < a6e94557cd05adc82fae0400f6e17745563e5412 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bf46ff83a0ef11836e38ebd72cdc5107209342d",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "b2bac84fde28fb6a88817b8b761abda17a1d300b",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "e651294218d2684302ee5ed95ccf381646f3e5b4",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "01829af7656b56d83682b3491265d583d502e502",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "2a0cf438320cdb783e0378570744c0ef0d83e934",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "a6e94557cd05adc82fae0400f6e17745563e5412",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid potential buffer over-read in parse_apply_sb_mount_options()\n\nUnlike other strings in the ext4 superblock, we rely on tune2fs to\nmake sure s_mount_opts is NUL terminated. Harden\nparse_apply_sb_mount_options() by treating s_mount_opts as a potential\n__nonstring."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:59.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bf46ff83a0ef11836e38ebd72cdc5107209342d"
},
{
"url": "https://git.kernel.org/stable/c/b2bac84fde28fb6a88817b8b761abda17a1d300b"
},
{
"url": "https://git.kernel.org/stable/c/e651294218d2684302ee5ed95ccf381646f3e5b4"
},
{
"url": "https://git.kernel.org/stable/c/01829af7656b56d83682b3491265d583d502e502"
},
{
"url": "https://git.kernel.org/stable/c/2a0cf438320cdb783e0378570744c0ef0d83e934"
},
{
"url": "https://git.kernel.org/stable/c/a6e94557cd05adc82fae0400f6e17745563e5412"
},
{
"url": "https://git.kernel.org/stable/c/8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8"
}
],
"title": "ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40198",
"datePublished": "2025-11-12T21:56:33.220Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:19:59.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40156 (GCVE-0-2025-40156)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()
The drv->sram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) which
would lead to a error pointer dereference. Use IS_ERR_OR_NULL() to check
that the pointer is valid.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e09bd5757b5227d6804b30c58d4587f7f87d1afa , < 9cc23e221f392304b7b8aad213812564ddf6517e
(git)
Affected: e09bd5757b5227d6804b30c58d4587f7f87d1afa , < 80eab6a9df7e1107dc334434dbacd05297703377 (git) Affected: e09bd5757b5227d6804b30c58d4587f7f87d1afa , < 44e32104cf7e670e3d683c97b52350d8fac23322 (git) Affected: e09bd5757b5227d6804b30c58d4587f7f87d1afa , < 24d61b6e23d2c7291c528dd43a0bf76b5c05c8f0 (git) Affected: e09bd5757b5227d6804b30c58d4587f7f87d1afa , < fc33bf0e097c6834646b98a7b3da0ae5b617f0f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/mtk-cci-devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9cc23e221f392304b7b8aad213812564ddf6517e",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
},
{
"lessThan": "80eab6a9df7e1107dc334434dbacd05297703377",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
},
{
"lessThan": "44e32104cf7e670e3d683c97b52350d8fac23322",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
},
{
"lessThan": "24d61b6e23d2c7291c528dd43a0bf76b5c05c8f0",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
},
{
"lessThan": "fc33bf0e097c6834646b98a7b3da0ae5b617f0f9",
"status": "affected",
"version": "e09bd5757b5227d6804b30c58d4587f7f87d1afa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/mtk-cci-devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()\n\nThe drv-\u003esram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) which\nwould lead to a error pointer dereference. Use IS_ERR_OR_NULL() to check\nthat the pointer is valid."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:07.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9cc23e221f392304b7b8aad213812564ddf6517e"
},
{
"url": "https://git.kernel.org/stable/c/80eab6a9df7e1107dc334434dbacd05297703377"
},
{
"url": "https://git.kernel.org/stable/c/44e32104cf7e670e3d683c97b52350d8fac23322"
},
{
"url": "https://git.kernel.org/stable/c/24d61b6e23d2c7291c528dd43a0bf76b5c05c8f0"
},
{
"url": "https://git.kernel.org/stable/c/fc33bf0e097c6834646b98a7b3da0ae5b617f0f9"
}
],
"title": "PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40156",
"datePublished": "2025-11-12T10:23:28.994Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:07.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40098 (GCVE-0-2025-40098)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()
Return value of a function acpi_evaluate_dsm() is dereferenced without
checking for NULL, but it is usually checked for this function.
acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns
acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b518386db2b993d786c431caa9f46ce063c5cb05",
"status": "affected",
"version": "447106e92a0c86c332d40710436f38f64c322cd6",
"versionType": "git"
},
{
"lessThan": "8527bbb33936340525a3504a00932b2f8fd75754",
"status": "affected",
"version": "447106e92a0c86c332d40710436f38f64c322cd6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()\n\nReturn value of a function acpi_evaluate_dsm() is dereferenced without\nchecking for NULL, but it is usually checked for this function.\n\nacpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns\nacpi_status other than ACPI_SUCCESS, so add a check to prevent the crach.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:58.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b518386db2b993d786c431caa9f46ce063c5cb05"
},
{
"url": "https://git.kernel.org/stable/c/8527bbb33936340525a3504a00932b2f8fd75754"
}
],
"title": "ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40098",
"datePublished": "2025-10-30T09:48:05.200Z",
"dateReserved": "2025-04-16T07:20:57.164Z",
"dateUpdated": "2025-12-01T06:17:58.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50578 (GCVE-0-2022-50578)
Vulnerability from cvelistv5 – Published: 2025-10-22 13:23 – Updated: 2025-10-22 13:23
VLAI?
EPSS
Title
class: fix possible memory leak in __class_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
class: fix possible memory leak in __class_register()
If class_add_groups() returns error, the 'cp->subsys' need be
unregister, and the 'cp' need be freed.
We can not call kset_unregister() here, because the 'cls' will
be freed in callback function class_release() and it's also
freed in caller's error path, it will cause double free.
So fix this by calling kobject_del() and kfree_const(name) to
cleanup kobject. Besides, call kfree() to free the 'cp'.
Fault injection test can trigger this:
unreferenced object 0xffff888102fa8190 (size 8):
comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
hex dump (first 8 bytes):
70 6b 74 63 64 76 64 00 pktcdvd.
backtrace:
[<00000000e7c7703d>] __kmalloc_track_caller+0x1ae/0x320
[<000000005e4d70bc>] kstrdup+0x3a/0x70
[<00000000c2e5e85a>] kstrdup_const+0x68/0x80
[<000000000049a8c7>] kvasprintf_const+0x10b/0x190
[<0000000029123163>] kobject_set_name_vargs+0x56/0x150
[<00000000747219c9>] kobject_set_name+0xab/0xe0
[<0000000005f1ea4e>] __class_register+0x15c/0x49a
unreferenced object 0xffff888037274000 (size 1024):
comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
hex dump (first 32 bytes):
00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@'7.....@'7....
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
backtrace:
[<00000000151f9600>] kmem_cache_alloc_trace+0x17c/0x2f0
[<00000000ecf3dd95>] __class_register+0x86/0x49a
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ced6473e7486702f530a49f886b73195e4977734 , < 4efa5443817c1b6de22d401aeca5b2481e835f8c
(git)
Affected: ced6473e7486702f530a49f886b73195e4977734 , < 3bb9c92c27624ad076419a70f2b1a30cd1f8bbbd (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < 3e0efc3f3f5e5c73996782f8db69963e501bb878 (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < 18a7200646958cf8e1b8a933de08122fc50676cd (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < 417ef049e3fd3b0d2593c1d5ffa3d0d5d0a018a7 (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < e764ad5918a099ebeb909ccff83893a714e497e1 (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < abaedb68a769e6bf36836b55a2f49b531c5f3f7b (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < 8c3e8a6bdb5253b97ad532570f8b5db5f7a06407 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4efa5443817c1b6de22d401aeca5b2481e835f8c",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "3bb9c92c27624ad076419a70f2b1a30cd1f8bbbd",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "3e0efc3f3f5e5c73996782f8db69963e501bb878",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "18a7200646958cf8e1b8a933de08122fc50676cd",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "417ef049e3fd3b0d2593c1d5ffa3d0d5d0a018a7",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "e764ad5918a099ebeb909ccff83893a714e497e1",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "abaedb68a769e6bf36836b55a2f49b531c5f3f7b",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "8c3e8a6bdb5253b97ad532570f8b5db5f7a06407",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclass: fix possible memory leak in __class_register()\n\nIf class_add_groups() returns error, the \u0027cp-\u003esubsys\u0027 need be\nunregister, and the \u0027cp\u0027 need be freed.\n\nWe can not call kset_unregister() here, because the \u0027cls\u0027 will\nbe freed in callback function class_release() and it\u0027s also\nfreed in caller\u0027s error path, it will cause double free.\n\nSo fix this by calling kobject_del() and kfree_const(name) to\ncleanup kobject. Besides, call kfree() to free the \u0027cp\u0027.\n\nFault injection test can trigger this:\n\nunreferenced object 0xffff888102fa8190 (size 8):\n comm \"modprobe\", pid 502, jiffies 4294906074 (age 49.296s)\n hex dump (first 8 bytes):\n 70 6b 74 63 64 76 64 00 pktcdvd.\n backtrace:\n [\u003c00000000e7c7703d\u003e] __kmalloc_track_caller+0x1ae/0x320\n [\u003c000000005e4d70bc\u003e] kstrdup+0x3a/0x70\n [\u003c00000000c2e5e85a\u003e] kstrdup_const+0x68/0x80\n [\u003c000000000049a8c7\u003e] kvasprintf_const+0x10b/0x190\n [\u003c0000000029123163\u003e] kobject_set_name_vargs+0x56/0x150\n [\u003c00000000747219c9\u003e] kobject_set_name+0xab/0xe0\n [\u003c0000000005f1ea4e\u003e] __class_register+0x15c/0x49a\n\nunreferenced object 0xffff888037274000 (size 1024):\n comm \"modprobe\", pid 502, jiffies 4294906074 (age 49.296s)\n hex dump (first 32 bytes):\n 00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@\u00277.....@\u00277....\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n backtrace:\n [\u003c00000000151f9600\u003e] kmem_cache_alloc_trace+0x17c/0x2f0\n [\u003c00000000ecf3dd95\u003e] __class_register+0x86/0x49a"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:31.565Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4efa5443817c1b6de22d401aeca5b2481e835f8c"
},
{
"url": "https://git.kernel.org/stable/c/3bb9c92c27624ad076419a70f2b1a30cd1f8bbbd"
},
{
"url": "https://git.kernel.org/stable/c/3e0efc3f3f5e5c73996782f8db69963e501bb878"
},
{
"url": "https://git.kernel.org/stable/c/18a7200646958cf8e1b8a933de08122fc50676cd"
},
{
"url": "https://git.kernel.org/stable/c/417ef049e3fd3b0d2593c1d5ffa3d0d5d0a018a7"
},
{
"url": "https://git.kernel.org/stable/c/e764ad5918a099ebeb909ccff83893a714e497e1"
},
{
"url": "https://git.kernel.org/stable/c/abaedb68a769e6bf36836b55a2f49b531c5f3f7b"
},
{
"url": "https://git.kernel.org/stable/c/8c3e8a6bdb5253b97ad532570f8b5db5f7a06407"
}
],
"title": "class: fix possible memory leak in __class_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50578",
"datePublished": "2025-10-22T13:23:31.565Z",
"dateReserved": "2025-10-22T13:20:23.761Z",
"dateUpdated": "2025-10-22T13:23:31.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21710 (GCVE-0-2025-21710)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-05-04 07:19
VLAI?
EPSS
Title
tcp: correct handling of extreme memory squeeze
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: correct handling of extreme memory squeeze
Testing with iperf3 using the "pasta" protocol splicer has revealed
a problem in the way tcp handles window advertising in extreme memory
squeeze situations.
Under memory pressure, a socket endpoint may temporarily advertise
a zero-sized window, but this is not stored as part of the socket data.
The reasoning behind this is that it is considered a temporary setting
which shouldn't influence any further calculations.
However, if we happen to stall at an unfortunate value of the current
window size, the algorithm selecting a new value will consistently fail
to advertise a non-zero window once we have freed up enough memory.
This means that this side's notion of the current window size is
different from the one last advertised to the peer, causing the latter
to not send any data to resolve the sitution.
The problem occurs on the iperf3 server side, and the socket in question
is a completely regular socket with the default settings for the
fedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket.
The following excerpt of a logging session, with own comments added,
shows more in detail what is happening:
// tcp_v4_rcv(->)
// tcp_rcv_established(->)
[5201<->39222]: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ====
[5201<->39222]: tcp_data_queue(->)
[5201<->39222]: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM
[rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]
[copied_seq 259909392->260034360 (124968), unread 5565800, qlen 85, ofoq 0]
[OFO queue: gap: 65480, len: 0]
[5201<->39222]: tcp_data_queue(<-)
[5201<->39222]: __tcp_transmit_skb(->)
[tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160]
[5201<->39222]: tcp_select_window(->)
[5201<->39222]: (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_NOMEM) ? --> TRUE
[tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160]
returning 0
[5201<->39222]: tcp_select_window(<-)
[5201<->39222]: ADVERTISING WIN 0, ACK_SEQ: 265600160
[5201<->39222]: [__tcp_transmit_skb(<-)
[5201<->39222]: tcp_rcv_established(<-)
[5201<->39222]: tcp_v4_rcv(<-)
// Receive queue is at 85 buffers and we are out of memory.
// We drop the incoming buffer, although it is in sequence, and decide
// to send an advertisement with a window of zero.
// We don't update tp->rcv_wnd and tp->rcv_wup accordingly, which means
// we unconditionally shrink the window.
[5201<->39222]: tcp_recvmsg_locked(->)
[5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160
[5201<->39222]: [new_win = 0, win_now = 131184, 2 * win_now = 262368]
[5201<->39222]: [new_win >= (2 * win_now) ? --> time_to_ack = 0]
[5201<->39222]: NOT calling tcp_send_ack()
[tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160]
[5201<->39222]: __tcp_cleanup_rbuf(<-)
[rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]
[copied_seq 260040464->260040464 (0), unread 5559696, qlen 85, ofoq 0]
returning 6104 bytes
[5201<->39222]: tcp_recvmsg_locked(<-)
// After each read, the algorithm for calculating the new receive
// window in __tcp_cleanup_rbuf() finds it is too small to advertise
// or to update tp->rcv_wnd.
// Meanwhile, the peer thinks the window is zero, and will not send
// any more data to trigger an update from the interrupt mode side.
[5201<->39222]: tcp_recvmsg_locked(->)
[5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160
[5201<->39222]: [new_win = 262144, win_now = 131184, 2 * win_n
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e2142825c120d4317abf7160a0fc34b3de532586 , < b01e7ceb35dcb7ffad413da657b78c3340a09039
(git)
Affected: e2142825c120d4317abf7160a0fc34b3de532586 , < 1dd823a46e25ffde1492c391934f69a9e5eb574f (git) Affected: e2142825c120d4317abf7160a0fc34b3de532586 , < b4055e2fe96f4ef101d8af0feb056d78d77514ff (git) Affected: e2142825c120d4317abf7160a0fc34b3de532586 , < 8c670bdfa58e48abad1d5b6ca1ee843ca91f7303 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b01e7ceb35dcb7ffad413da657b78c3340a09039",
"status": "affected",
"version": "e2142825c120d4317abf7160a0fc34b3de532586",
"versionType": "git"
},
{
"lessThan": "1dd823a46e25ffde1492c391934f69a9e5eb574f",
"status": "affected",
"version": "e2142825c120d4317abf7160a0fc34b3de532586",
"versionType": "git"
},
{
"lessThan": "b4055e2fe96f4ef101d8af0feb056d78d77514ff",
"status": "affected",
"version": "e2142825c120d4317abf7160a0fc34b3de532586",
"versionType": "git"
},
{
"lessThan": "8c670bdfa58e48abad1d5b6ca1ee843ca91f7303",
"status": "affected",
"version": "e2142825c120d4317abf7160a0fc34b3de532586",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: correct handling of extreme memory squeeze\n\nTesting with iperf3 using the \"pasta\" protocol splicer has revealed\na problem in the way tcp handles window advertising in extreme memory\nsqueeze situations.\n\nUnder memory pressure, a socket endpoint may temporarily advertise\na zero-sized window, but this is not stored as part of the socket data.\nThe reasoning behind this is that it is considered a temporary setting\nwhich shouldn\u0027t influence any further calculations.\n\nHowever, if we happen to stall at an unfortunate value of the current\nwindow size, the algorithm selecting a new value will consistently fail\nto advertise a non-zero window once we have freed up enough memory.\nThis means that this side\u0027s notion of the current window size is\ndifferent from the one last advertised to the peer, causing the latter\nto not send any data to resolve the sitution.\n\nThe problem occurs on the iperf3 server side, and the socket in question\nis a completely regular socket with the default settings for the\nfedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket.\n\nThe following excerpt of a logging session, with own comments added,\nshows more in detail what is happening:\n\n// tcp_v4_rcv(-\u003e)\n// tcp_rcv_established(-\u003e)\n[5201\u003c-\u003e39222]: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ====\n[5201\u003c-\u003e39222]: tcp_data_queue(-\u003e)\n[5201\u003c-\u003e39222]: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM\n [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]\n [copied_seq 259909392-\u003e260034360 (124968), unread 5565800, qlen 85, ofoq 0]\n [OFO queue: gap: 65480, len: 0]\n[5201\u003c-\u003e39222]: tcp_data_queue(\u003c-)\n[5201\u003c-\u003e39222]: __tcp_transmit_skb(-\u003e)\n [tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160]\n[5201\u003c-\u003e39222]: tcp_select_window(-\u003e)\n[5201\u003c-\u003e39222]: (inet_csk(sk)-\u003eicsk_ack.pending \u0026 ICSK_ACK_NOMEM) ? --\u003e TRUE\n [tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160]\n returning 0\n[5201\u003c-\u003e39222]: tcp_select_window(\u003c-)\n[5201\u003c-\u003e39222]: ADVERTISING WIN 0, ACK_SEQ: 265600160\n[5201\u003c-\u003e39222]: [__tcp_transmit_skb(\u003c-)\n[5201\u003c-\u003e39222]: tcp_rcv_established(\u003c-)\n[5201\u003c-\u003e39222]: tcp_v4_rcv(\u003c-)\n\n// Receive queue is at 85 buffers and we are out of memory.\n// We drop the incoming buffer, although it is in sequence, and decide\n// to send an advertisement with a window of zero.\n// We don\u0027t update tp-\u003ercv_wnd and tp-\u003ercv_wup accordingly, which means\n// we unconditionally shrink the window.\n\n[5201\u003c-\u003e39222]: tcp_recvmsg_locked(-\u003e)\n[5201\u003c-\u003e39222]: __tcp_cleanup_rbuf(-\u003e) tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160\n[5201\u003c-\u003e39222]: [new_win = 0, win_now = 131184, 2 * win_now = 262368]\n[5201\u003c-\u003e39222]: [new_win \u003e= (2 * win_now) ? --\u003e time_to_ack = 0]\n[5201\u003c-\u003e39222]: NOT calling tcp_send_ack()\n [tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160]\n[5201\u003c-\u003e39222]: __tcp_cleanup_rbuf(\u003c-)\n [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]\n [copied_seq 260040464-\u003e260040464 (0), unread 5559696, qlen 85, ofoq 0]\n returning 6104 bytes\n[5201\u003c-\u003e39222]: tcp_recvmsg_locked(\u003c-)\n\n// After each read, the algorithm for calculating the new receive\n// window in __tcp_cleanup_rbuf() finds it is too small to advertise\n// or to update tp-\u003ercv_wnd.\n// Meanwhile, the peer thinks the window is zero, and will not send\n// any more data to trigger an update from the interrupt mode side.\n\n[5201\u003c-\u003e39222]: tcp_recvmsg_locked(-\u003e)\n[5201\u003c-\u003e39222]: __tcp_cleanup_rbuf(-\u003e) tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160\n[5201\u003c-\u003e39222]: [new_win = 262144, win_now = 131184, 2 * win_n\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:28.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b01e7ceb35dcb7ffad413da657b78c3340a09039"
},
{
"url": "https://git.kernel.org/stable/c/1dd823a46e25ffde1492c391934f69a9e5eb574f"
},
{
"url": "https://git.kernel.org/stable/c/b4055e2fe96f4ef101d8af0feb056d78d77514ff"
},
{
"url": "https://git.kernel.org/stable/c/8c670bdfa58e48abad1d5b6ca1ee843ca91f7303"
}
],
"title": "tcp: correct handling of extreme memory squeeze",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21710",
"datePublished": "2025-02-27T02:07:23.112Z",
"dateReserved": "2024-12-29T08:45:45.752Z",
"dateUpdated": "2025-05-04T07:19:28.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40105 (GCVE-0-2025-40105)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
vfs: Don't leak disconnected dentries on umount
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfs: Don't leak disconnected dentries on umount
When user calls open_by_handle_at() on some inode that is not cached, we
will create disconnected dentry for it. If such dentry is a directory,
exportfs_decode_fh_raw() will then try to connect this dentry to the
dentry tree through reconnect_path(). It may happen for various reasons
(such as corrupted fs or race with rename) that the call to
lookup_one_unlocked() in reconnect_one() will fail to find the dentry we
are trying to reconnect and instead create a new dentry under the
parent. Now this dentry will not be marked as disconnected although the
parent still may well be disconnected (at least in case this
inconsistency happened because the fs is corrupted and .. doesn't point
to the real parent directory). This creates inconsistency in
disconnected flags but AFAICS it was mostly harmless. At least until
commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
which removed adding of most disconnected dentries to sb->s_anon list.
Thus after this commit cleanup of disconnected dentries implicitely
relies on the fact that dput() will immediately reclaim such dentries.
However when some leaf dentry isn't marked as disconnected, as in the
scenario described above, the reclaim doesn't happen and the dentries
are "leaked". Memory reclaim can eventually reclaim them but otherwise
they stay in memory and if umount comes first, we hit infamous "Busy
inodes after unmount" bug. Make sure all dentries created under a
disconnected parent are marked as disconnected as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1ee616214cb22410e939d963bbb2349c2570f02 , < b5abafd0aa8d7bcb935c8f91e4cfc2f2820759e4
(git)
Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 20863bb7fbb016379f8227122edfabc5c799bc79 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 8004d4b8cbf1bd68a23c160d57287e177c82cc69 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 7e0c8aaf4e28918abded547a5147c7d52c4af7d2 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < cebfbf40056a4d858b2a3ca59a69936d599bd209 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 620f3b0ede9c5cb4976cd0457d0b04ad551e5d6b (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < eadc49999fa994d6fbd70c332bd5d5051cc42261 (git) Affected: f1ee616214cb22410e939d963bbb2349c2570f02 , < 56094ad3eaa21e6621396cc33811d8f72847a834 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dcache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5abafd0aa8d7bcb935c8f91e4cfc2f2820759e4",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "20863bb7fbb016379f8227122edfabc5c799bc79",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "8004d4b8cbf1bd68a23c160d57287e177c82cc69",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "7e0c8aaf4e28918abded547a5147c7d52c4af7d2",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "cebfbf40056a4d858b2a3ca59a69936d599bd209",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "620f3b0ede9c5cb4976cd0457d0b04ad551e5d6b",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "eadc49999fa994d6fbd70c332bd5d5051cc42261",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "56094ad3eaa21e6621396cc33811d8f72847a834",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dcache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: Don\u0027t leak disconnected dentries on umount\n\nWhen user calls open_by_handle_at() on some inode that is not cached, we\nwill create disconnected dentry for it. If such dentry is a directory,\nexportfs_decode_fh_raw() will then try to connect this dentry to the\ndentry tree through reconnect_path(). It may happen for various reasons\n(such as corrupted fs or race with rename) that the call to\nlookup_one_unlocked() in reconnect_one() will fail to find the dentry we\nare trying to reconnect and instead create a new dentry under the\nparent. Now this dentry will not be marked as disconnected although the\nparent still may well be disconnected (at least in case this\ninconsistency happened because the fs is corrupted and .. doesn\u0027t point\nto the real parent directory). This creates inconsistency in\ndisconnected flags but AFAICS it was mostly harmless. At least until\ncommit f1ee616214cb (\"VFS: don\u0027t keep disconnected dentries on d_anon\")\nwhich removed adding of most disconnected dentries to sb-\u003es_anon list.\nThus after this commit cleanup of disconnected dentries implicitely\nrelies on the fact that dput() will immediately reclaim such dentries.\nHowever when some leaf dentry isn\u0027t marked as disconnected, as in the\nscenario described above, the reclaim doesn\u0027t happen and the dentries\nare \"leaked\". Memory reclaim can eventually reclaim them but otherwise\nthey stay in memory and if umount comes first, we hit infamous \"Busy\ninodes after unmount\" bug. Make sure all dentries created under a\ndisconnected parent are marked as disconnected as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:08.529Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5abafd0aa8d7bcb935c8f91e4cfc2f2820759e4"
},
{
"url": "https://git.kernel.org/stable/c/20863bb7fbb016379f8227122edfabc5c799bc79"
},
{
"url": "https://git.kernel.org/stable/c/8004d4b8cbf1bd68a23c160d57287e177c82cc69"
},
{
"url": "https://git.kernel.org/stable/c/7e0c8aaf4e28918abded547a5147c7d52c4af7d2"
},
{
"url": "https://git.kernel.org/stable/c/cebfbf40056a4d858b2a3ca59a69936d599bd209"
},
{
"url": "https://git.kernel.org/stable/c/620f3b0ede9c5cb4976cd0457d0b04ad551e5d6b"
},
{
"url": "https://git.kernel.org/stable/c/eadc49999fa994d6fbd70c332bd5d5051cc42261"
},
{
"url": "https://git.kernel.org/stable/c/56094ad3eaa21e6621396cc33811d8f72847a834"
}
],
"title": "vfs: Don\u0027t leak disconnected dentries on umount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40105",
"datePublished": "2025-10-30T09:48:09.674Z",
"dateReserved": "2025-04-16T07:20:57.165Z",
"dateUpdated": "2025-12-01T06:18:08.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40173 (GCVE-0-2025-40173)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:53 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
net/ip6_tunnel: Prevent perpetual tunnel growth
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/ip6_tunnel: Prevent perpetual tunnel growth
Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too.
While ipv4 tunnel headroom adjustment growth was limited in
commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"),
ipv6 tunnel yet increases the headroom without any ceiling.
Reflect ipv4 tunnel headroom adjustment limit on ipv6 version.
Credits to Francesco Ruggeri, who was originally debugging this issue
and wrote local Arista-specific patch and a reproducer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8eb30be0352d09165e94a41fef1c7b994dca0714 , < 566f8d5c8a443f2dd69c5460fdec43ed1c870c65
(git)
Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 11f6066af3bfb8149aa16c42c0b0c5ea5b199a94 (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 402b6985e872b4cf394bbbf33b503947a326a6cb (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 10fe967efe73c610e526ff7460581610633dee9c (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 48294a67863c9cfa367abb66bbf0ef6548ae124f (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < eeb4345488672584db4f8c20a1ae13a212ce31c4 (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < b6eb25d870f1a8ae571fd3da2244b71df547824b (git) Affected: 8eb30be0352d09165e94a41fef1c7b994dca0714 , < 21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip_tunnels.h",
"net/ipv4/ip_tunnel.c",
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "566f8d5c8a443f2dd69c5460fdec43ed1c870c65",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "11f6066af3bfb8149aa16c42c0b0c5ea5b199a94",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "402b6985e872b4cf394bbbf33b503947a326a6cb",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "10fe967efe73c610e526ff7460581610633dee9c",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "48294a67863c9cfa367abb66bbf0ef6548ae124f",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "eeb4345488672584db4f8c20a1ae13a212ce31c4",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "b6eb25d870f1a8ae571fd3da2244b71df547824b",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip_tunnels.h",
"net/ipv4/ip_tunnel.c",
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ip6_tunnel: Prevent perpetual tunnel growth\n\nSimilarly to ipv4 tunnel, ipv6 version updates dev-\u003eneeded_headroom, too.\nWhile ipv4 tunnel headroom adjustment growth was limited in\ncommit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"),\nipv6 tunnel yet increases the headroom without any ceiling.\n\nReflect ipv4 tunnel headroom adjustment limit on ipv6 version.\n\nCredits to Francesco Ruggeri, who was originally debugging this issue\nand wrote local Arista-specific patch and a reproducer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:28.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/566f8d5c8a443f2dd69c5460fdec43ed1c870c65"
},
{
"url": "https://git.kernel.org/stable/c/11f6066af3bfb8149aa16c42c0b0c5ea5b199a94"
},
{
"url": "https://git.kernel.org/stable/c/402b6985e872b4cf394bbbf33b503947a326a6cb"
},
{
"url": "https://git.kernel.org/stable/c/10fe967efe73c610e526ff7460581610633dee9c"
},
{
"url": "https://git.kernel.org/stable/c/48294a67863c9cfa367abb66bbf0ef6548ae124f"
},
{
"url": "https://git.kernel.org/stable/c/eeb4345488672584db4f8c20a1ae13a212ce31c4"
},
{
"url": "https://git.kernel.org/stable/c/b6eb25d870f1a8ae571fd3da2244b71df547824b"
},
{
"url": "https://git.kernel.org/stable/c/21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16"
}
],
"title": "net/ip6_tunnel: Prevent perpetual tunnel growth",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40173",
"datePublished": "2025-11-12T10:53:49.571Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:28.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40180 (GCVE-0-2025-40180)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
The cleanup loop was starting at the wrong array index, causing
out-of-bounds access.
Start the loop at the correct index for zero-indexed arrays to prevent
accessing memory beyond the allocated array bounds.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < cd0cbf2713f6e027ebba867cb7409ae345a31312
(git)
Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < ab96f08ecedd263ecaab9df8455bfb23b07fdcc2 (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < 0aead8197fc1a85b0a89646e418feb49a564b029 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/zynqmp-ipi-mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd0cbf2713f6e027ebba867cb7409ae345a31312",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "ab96f08ecedd263ecaab9df8455bfb23b07fdcc2",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "0aead8197fc1a85b0a89646e418feb49a564b029",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/zynqmp-ipi-mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop\n\nThe cleanup loop was starting at the wrong array index, causing\nout-of-bounds access.\nStart the loop at the correct index for zero-indexed arrays to prevent\naccessing memory beyond the allocated array bounds."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:37.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd0cbf2713f6e027ebba867cb7409ae345a31312"
},
{
"url": "https://git.kernel.org/stable/c/ab96f08ecedd263ecaab9df8455bfb23b07fdcc2"
},
{
"url": "https://git.kernel.org/stable/c/0aead8197fc1a85b0a89646e418feb49a564b029"
}
],
"title": "mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40180",
"datePublished": "2025-11-12T21:56:25.395Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:37.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40176 (GCVE-0-2025-40176)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:53 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
tls: wait for pending async decryptions if tls_strp_msg_hold fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: wait for pending async decryptions if tls_strp_msg_hold fails
Async decryption calls tls_strp_msg_hold to create a clone of the
input skb to hold references to the memory it uses. If we fail to
allocate that clone, proceeding with async decryption can lead to
various issues (UAF on the skb, writing into userspace memory after
the recv() call has returned).
In this case, wait for all pending decryption requests.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 9f83fd0c179e0f458e824e417f9d5ad53443f685
(git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < c61d4368197d65c4809d9271f3b85325a600586a (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 39dec4ea3daf77f684308576baf483b55ca7f160 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 4fc109d0ab196bd943b7451276690fb6bb48c2e0 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < b8a6ff84abbcbbc445463de58704686011edc8e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f83fd0c179e0f458e824e417f9d5ad53443f685",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "c61d4368197d65c4809d9271f3b85325a600586a",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "39dec4ea3daf77f684308576baf483b55ca7f160",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "4fc109d0ab196bd943b7451276690fb6bb48c2e0",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: wait for pending async decryptions if tls_strp_msg_hold fails\n\nAsync decryption calls tls_strp_msg_hold to create a clone of the\ninput skb to hold references to the memory it uses. If we fail to\nallocate that clone, proceeding with async decryption can lead to\nvarious issues (UAF on the skb, writing into userspace memory after\nthe recv() call has returned).\n\nIn this case, wait for all pending decryption requests."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:32.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f83fd0c179e0f458e824e417f9d5ad53443f685"
},
{
"url": "https://git.kernel.org/stable/c/c61d4368197d65c4809d9271f3b85325a600586a"
},
{
"url": "https://git.kernel.org/stable/c/39dec4ea3daf77f684308576baf483b55ca7f160"
},
{
"url": "https://git.kernel.org/stable/c/4fc109d0ab196bd943b7451276690fb6bb48c2e0"
},
{
"url": "https://git.kernel.org/stable/c/b8a6ff84abbcbbc445463de58704686011edc8e1"
}
],
"title": "tls: wait for pending async decryptions if tls_strp_msg_hold fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40176",
"datePublished": "2025-11-12T10:53:50.443Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:32.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40207 (GCVE-0-2025-40207)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
v4l2_subdev_call_state_try() macro allocates a subdev state with
__v4l2_subdev_state_alloc(), but does not check the returned value. If
__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would
cause v4l2_subdev_call_state_try() to crash.
Add proper error handling to v4l2_subdev_call_state_try().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
982c0487185bd466059ff618f398a8d074ddb654 , < 5b0057459cdc243ffb35617603142dcace09c711
(git)
Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < ed30811fbed40751deb952bde534aa2632dc0bf7 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < 94e6336dc1f06a06f5b4cd04d4a012bba34f2857 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < a553530b3314a0bdc98cf114cdbe204551a70a00 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-subdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b0057459cdc243ffb35617603142dcace09c711",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "ed30811fbed40751deb952bde534aa2632dc0bf7",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "94e6336dc1f06a06f5b4cd04d4a012bba34f2857",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "a553530b3314a0bdc98cf114cdbe204551a70a00",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-subdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()\n\nv4l2_subdev_call_state_try() macro allocates a subdev state with\n__v4l2_subdev_state_alloc(), but does not check the returned value. If\n__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would\ncause v4l2_subdev_call_state_try() to crash.\n\nAdd proper error handling to v4l2_subdev_call_state_try()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:11.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b0057459cdc243ffb35617603142dcace09c711"
},
{
"url": "https://git.kernel.org/stable/c/ed30811fbed40751deb952bde534aa2632dc0bf7"
},
{
"url": "https://git.kernel.org/stable/c/94e6336dc1f06a06f5b4cd04d4a012bba34f2857"
},
{
"url": "https://git.kernel.org/stable/c/a553530b3314a0bdc98cf114cdbe204551a70a00"
},
{
"url": "https://git.kernel.org/stable/c/f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e"
}
],
"title": "media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40207",
"datePublished": "2025-11-12T21:56:35.988Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:11.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53229 (GCVE-0-2023-53229)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:22 – Updated: 2025-09-15 14:22
VLAI?
EPSS
Title
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
Avoid potential data corruption issues caused by uninitialized driver
private data structures.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6a9d1b91f34df1935bc0ad98114801a44db0f98c , < db8d32d6b25fdb75c387daee496b96209d477780
(git)
Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 7e68d7c640d41d8a371b8f6c2d2682ea437cbe21 (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < a3593082e0dadf87f17ea4ca9fa0210caaa2aebf (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 3fe20515449a80a177526d2ecd13b43f6ee41aeb (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 30c5a016a37a668c1c07442cf94de6e99ea7417a (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 022c8320d9eb7394538bd716fa1a07a5ed92621b (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 73752a39e2a6e38eee3ba90ece2ded598ea88006 (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 12b220a6171faf10638ab683a975cadcf1a352d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/sta_info.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db8d32d6b25fdb75c387daee496b96209d477780",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "7e68d7c640d41d8a371b8f6c2d2682ea437cbe21",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "a3593082e0dadf87f17ea4ca9fa0210caaa2aebf",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "3fe20515449a80a177526d2ecd13b43f6ee41aeb",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "30c5a016a37a668c1c07442cf94de6e99ea7417a",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "022c8320d9eb7394538bd716fa1a07a5ed92621b",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "73752a39e2a6e38eee3ba90ece2ded598ea88006",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "12b220a6171faf10638ab683a975cadcf1a352d6",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/sta_info.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.313",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta\n\nAvoid potential data corruption issues caused by uninitialized driver\nprivate data structures."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:22:01.784Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db8d32d6b25fdb75c387daee496b96209d477780"
},
{
"url": "https://git.kernel.org/stable/c/7e68d7c640d41d8a371b8f6c2d2682ea437cbe21"
},
{
"url": "https://git.kernel.org/stable/c/a3593082e0dadf87f17ea4ca9fa0210caaa2aebf"
},
{
"url": "https://git.kernel.org/stable/c/3fe20515449a80a177526d2ecd13b43f6ee41aeb"
},
{
"url": "https://git.kernel.org/stable/c/30c5a016a37a668c1c07442cf94de6e99ea7417a"
},
{
"url": "https://git.kernel.org/stable/c/022c8320d9eb7394538bd716fa1a07a5ed92621b"
},
{
"url": "https://git.kernel.org/stable/c/73752a39e2a6e38eee3ba90ece2ded598ea88006"
},
{
"url": "https://git.kernel.org/stable/c/12b220a6171faf10638ab683a975cadcf1a352d6"
}
],
"title": "wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53229",
"datePublished": "2025-09-15T14:22:01.784Z",
"dateReserved": "2025-09-15T14:19:21.846Z",
"dateUpdated": "2025-09-15T14:22:01.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50368 (GCVE-0-2022-50368)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2025-09-17 14:56
VLAI?
EPSS
Title
drm/msm/dsi: fix memory corruption with too many bridges
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dsi: fix memory corruption with too many bridges
Add the missing sanity check on the bridge counter to avoid corrupting
data beyond the fixed-sized bridge array in case there are ever more
than eight bridges.
Patchwork: https://patchwork.freedesktop.org/patch/502668/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < 4e5587cddb334f7a5bb1c49ea8bbfc966fafe1b8
(git)
Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < f649ed0e1b7a1545f8e27267d3c468b3cb222ece (git) Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < 21c4679af01f1027cb559330c2e7d410089b2b36 (git) Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < 9f035d1fb30648fe70ee01627eb131c56d699b35 (git) Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < e83b354890a3c1d5256162f87a6cc38c47ae7f20 (git) Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < 2e786eb2f9cebb07e317226b60054df510b60c65 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dsi/dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e5587cddb334f7a5bb1c49ea8bbfc966fafe1b8",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "f649ed0e1b7a1545f8e27267d3c468b3cb222ece",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "21c4679af01f1027cb559330c2e7d410089b2b36",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "9f035d1fb30648fe70ee01627eb131c56d699b35",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "e83b354890a3c1d5256162f87a6cc38c47ae7f20",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "2e786eb2f9cebb07e317226b60054df510b60c65",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dsi/dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dsi: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502668/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:24.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e5587cddb334f7a5bb1c49ea8bbfc966fafe1b8"
},
{
"url": "https://git.kernel.org/stable/c/f649ed0e1b7a1545f8e27267d3c468b3cb222ece"
},
{
"url": "https://git.kernel.org/stable/c/21c4679af01f1027cb559330c2e7d410089b2b36"
},
{
"url": "https://git.kernel.org/stable/c/9f035d1fb30648fe70ee01627eb131c56d699b35"
},
{
"url": "https://git.kernel.org/stable/c/e83b354890a3c1d5256162f87a6cc38c47ae7f20"
},
{
"url": "https://git.kernel.org/stable/c/2e786eb2f9cebb07e317226b60054df510b60c65"
}
],
"title": "drm/msm/dsi: fix memory corruption with too many bridges",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50368",
"datePublished": "2025-09-17T14:56:24.102Z",
"dateReserved": "2025-09-17T14:53:06.995Z",
"dateUpdated": "2025-09-17T14:56:24.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40086 (GCVE-0-2025-40086)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:47 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
drm/xe: Don't allow evicting of BOs in same VM in array of VM binds
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Don't allow evicting of BOs in same VM in array of VM binds
An array of VM binds can potentially evict other buffer objects (BOs)
within the same VM under certain conditions, which may lead to NULL
pointer dereferences later in the bind pipeline. To prevent this, clear
the allow_res_evict flag in the xe_bo_validate call.
v2:
- Invert polarity of no_res_evict (Thomas)
- Add comment in code explaining issue (Thomas)
(cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c",
"drivers/gpu/drm/xe/xe_vm_types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5aa0ab0ba7d94549cfe17d6ef7a4f33ba1de8384",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "7ac74613e5f2ef3450f44fd2127198662c2563a9",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c",
"drivers/gpu/drm/xe/xe_vm_types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Don\u0027t allow evicting of BOs in same VM in array of VM binds\n\nAn array of VM binds can potentially evict other buffer objects (BOs)\nwithin the same VM under certain conditions, which may lead to NULL\npointer dereferences later in the bind pipeline. To prevent this, clear\nthe allow_res_evict flag in the xe_bo_validate call.\n\nv2:\n - Invert polarity of no_res_evict (Thomas)\n - Add comment in code explaining issue (Thomas)\n\n(cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:43.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5aa0ab0ba7d94549cfe17d6ef7a4f33ba1de8384"
},
{
"url": "https://git.kernel.org/stable/c/7ac74613e5f2ef3450f44fd2127198662c2563a9"
}
],
"title": "drm/xe: Don\u0027t allow evicting of BOs in same VM in array of VM binds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40086",
"datePublished": "2025-10-30T09:47:56.005Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-12-01T06:17:43.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40168 (GCVE-0-2025-40168)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
smc_clc_prfx_match() is called from smc_listen_work() and
not under RCU nor RTNL.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
Note that the returned value of smc_clc_prfx_match() is not
used in the caller.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d26e80f7fb62d77757b67a1b94e4ac756bc9c658",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
},
{
"lessThan": "235f81045c008169cc4e1955b4a64e118eebe61b",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().\n\nsmc_clc_prfx_match() is called from smc_listen_work() and\nnot under RCU nor RTNL.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu().\n\nNote that the returned value of smc_clc_prfx_match() is not\nused in the caller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:22.173Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d26e80f7fb62d77757b67a1b94e4ac756bc9c658"
},
{
"url": "https://git.kernel.org/stable/c/235f81045c008169cc4e1955b4a64e118eebe61b"
}
],
"title": "smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40168",
"datePublished": "2025-11-12T10:46:51.422Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:22.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40171 (GCVE-0-2025-40171)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
It’s possible for more than one async command to be in flight from
__nvmet_fc_send_ls_req. For each command, a tgtport reference is taken.
In the current code, only one put work item is queued at a time, which
results in a leaked reference.
To fix this, move the work item to the nvmet_fc_ls_req_op struct, which
already tracks all resources related to the command.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5e0bc09a52b6169ce90f7ac6e195791adb16cec4 , < 11269c08013f4ee8b8f5edc6c56700acb34092d0
(git)
Affected: 9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8 , < a28112cc55013cd8cbd5d36b5115a5b851151bd9 (git) Affected: eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30 , < 060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c (git) Affected: 710c69dbaccdac312e32931abcb8499c1525d397 , < 7331925c247b03b7767b8cd93cfe1b7aa2377850 (git) Affected: 710c69dbaccdac312e32931abcb8499c1525d397 , < 7a619f8c869117ffed08365b377f66b7e1d941b4 (git) Affected: 710c69dbaccdac312e32931abcb8499c1525d397 , < db5a5406fb7e5337a074385c7a3e53c77f2c1bd3 (git) Affected: 1d86f79287206deec36d63b89c741cf542b6cadd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11269c08013f4ee8b8f5edc6c56700acb34092d0",
"status": "affected",
"version": "5e0bc09a52b6169ce90f7ac6e195791adb16cec4",
"versionType": "git"
},
{
"lessThan": "a28112cc55013cd8cbd5d36b5115a5b851151bd9",
"status": "affected",
"version": "9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8",
"versionType": "git"
},
{
"lessThan": "060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c",
"status": "affected",
"version": "eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30",
"versionType": "git"
},
{
"lessThan": "7331925c247b03b7767b8cd93cfe1b7aa2377850",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"lessThan": "7a619f8c869117ffed08365b377f66b7e1d941b4",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"lessThan": "db5a5406fb7e5337a074385c7a3e53c77f2c1bd3",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"status": "affected",
"version": "1d86f79287206deec36d63b89c741cf542b6cadd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: move lsop put work to nvmet_fc_ls_req_op\n\nIt\u2019s possible for more than one async command to be in flight from\n__nvmet_fc_send_ls_req. For each command, a tgtport reference is taken.\n\nIn the current code, only one put work item is queued at a time, which\nresults in a leaked reference.\n\nTo fix this, move the work item to the nvmet_fc_ls_req_op struct, which\nalready tracks all resources related to the command."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:25.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11269c08013f4ee8b8f5edc6c56700acb34092d0"
},
{
"url": "https://git.kernel.org/stable/c/a28112cc55013cd8cbd5d36b5115a5b851151bd9"
},
{
"url": "https://git.kernel.org/stable/c/060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c"
},
{
"url": "https://git.kernel.org/stable/c/7331925c247b03b7767b8cd93cfe1b7aa2377850"
},
{
"url": "https://git.kernel.org/stable/c/7a619f8c869117ffed08365b377f66b7e1d941b4"
},
{
"url": "https://git.kernel.org/stable/c/db5a5406fb7e5337a074385c7a3e53c77f2c1bd3"
}
],
"title": "nvmet-fc: move lsop put work to nvmet_fc_ls_req_op",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40171",
"datePublished": "2025-11-12T10:46:52.289Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:25.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40206 (GCVE-0-2025-40206)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
netfilter: nft_objref: validate objref and objrefmap expressions
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_objref: validate objref and objrefmap expressions
Referencing a synproxy stateful object from OUTPUT hook causes kernel
crash due to infinite recursive calls:
BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)
[...]
Call Trace:
__find_rr_leaf+0x99/0x230
fib6_table_lookup+0x13b/0x2d0
ip6_pol_route+0xa4/0x400
fib6_rule_lookup+0x156/0x240
ip6_route_output_flags+0xc6/0x150
__nf_ip6_route+0x23/0x50
synproxy_send_tcp_ipv6+0x106/0x200
synproxy_send_client_synack_ipv6+0x1aa/0x1f0
nft_synproxy_do_eval+0x263/0x310
nft_do_chain+0x5a8/0x5f0 [nf_tables
nft_do_chain_inet+0x98/0x110
nf_hook_slow+0x43/0xc0
__ip6_local_out+0xf0/0x170
ip6_local_out+0x17/0x70
synproxy_send_tcp_ipv6+0x1a2/0x200
synproxy_send_client_synack_ipv6+0x1aa/0x1f0
[...]
Implement objref and objrefmap expression validate functions.
Currently, only NFT_OBJECT_SYNPROXY object type requires validation.
This will also handle a jump to a chain using a synproxy object from the
OUTPUT hook.
Now when trying to reference a synproxy object in the OUTPUT hook, nft
will produce the following error:
synproxy_crash.nft: Error: Could not process rule: Operation not supported
synproxy name mysynproxy
^^^^^^^^^^^^^^^^^^^^^^^^
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee394f96ad7517fbc0de9106dcc7ce9efb14f264 , < 0028e0134c64d9ed21728341a74fcfc59cd0f944
(git)
Affected: ee394f96ad7517fbc0de9106dcc7ce9efb14f264 , < 7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0 (git) Affected: ee394f96ad7517fbc0de9106dcc7ce9efb14f264 , < 4c1cf72ec10be5a9ad264650cadffa1fbce6fabd (git) Affected: ee394f96ad7517fbc0de9106dcc7ce9efb14f264 , < f359b809d54c6e3dd1d039b97e0b68390b0e53e4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_objref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0028e0134c64d9ed21728341a74fcfc59cd0f944",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "4c1cf72ec10be5a9ad264650cadffa1fbce6fabd",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "f359b809d54c6e3dd1d039b97e0b68390b0e53e4",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_objref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_objref: validate objref and objrefmap expressions\n\nReferencing a synproxy stateful object from OUTPUT hook causes kernel\ncrash due to infinite recursive calls:\n\nBUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)\n[...]\nCall Trace:\n __find_rr_leaf+0x99/0x230\n fib6_table_lookup+0x13b/0x2d0\n ip6_pol_route+0xa4/0x400\n fib6_rule_lookup+0x156/0x240\n ip6_route_output_flags+0xc6/0x150\n __nf_ip6_route+0x23/0x50\n synproxy_send_tcp_ipv6+0x106/0x200\n synproxy_send_client_synack_ipv6+0x1aa/0x1f0\n nft_synproxy_do_eval+0x263/0x310\n nft_do_chain+0x5a8/0x5f0 [nf_tables\n nft_do_chain_inet+0x98/0x110\n nf_hook_slow+0x43/0xc0\n __ip6_local_out+0xf0/0x170\n ip6_local_out+0x17/0x70\n synproxy_send_tcp_ipv6+0x1a2/0x200\n synproxy_send_client_synack_ipv6+0x1aa/0x1f0\n[...]\n\nImplement objref and objrefmap expression validate functions.\n\nCurrently, only NFT_OBJECT_SYNPROXY object type requires validation.\nThis will also handle a jump to a chain using a synproxy object from the\nOUTPUT hook.\n\nNow when trying to reference a synproxy object in the OUTPUT hook, nft\nwill produce the following error:\n\nsynproxy_crash.nft: Error: Could not process rule: Operation not supported\n synproxy name mysynproxy\n ^^^^^^^^^^^^^^^^^^^^^^^^"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:10.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0028e0134c64d9ed21728341a74fcfc59cd0f944"
},
{
"url": "https://git.kernel.org/stable/c/7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0"
},
{
"url": "https://git.kernel.org/stable/c/4c1cf72ec10be5a9ad264650cadffa1fbce6fabd"
},
{
"url": "https://git.kernel.org/stable/c/f359b809d54c6e3dd1d039b97e0b68390b0e53e4"
}
],
"title": "netfilter: nft_objref: validate objref and objrefmap expressions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40206",
"datePublished": "2025-11-12T21:56:35.675Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:10.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40139 (GCVE-0-2025-40139)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
smc_clc_prfx_set() is called during connect() and not under RCU
nor RTNL.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()
after kernel_getsockname().
Note that the returned value of smc_clc_prfx_set() is not used
in the caller.
While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()
not to touch dst there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0736993bfe5c7a9c744ae3fac62d769dfdae54e1",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
},
{
"lessThan": "935d783e5de9b64587f3adb25641dd8385e64ddb",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().\n\nsmc_clc_prfx_set() is called during connect() and not under RCU\nnor RTNL.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()\nafter kernel_getsockname().\n\nNote that the returned value of smc_clc_prfx_set() is not used\nin the caller.\n\nWhile at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()\nnot to touch dst there."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:47.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0736993bfe5c7a9c744ae3fac62d769dfdae54e1"
},
{
"url": "https://git.kernel.org/stable/c/935d783e5de9b64587f3adb25641dd8385e64ddb"
}
],
"title": "smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40139",
"datePublished": "2025-11-12T10:23:24.216Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:47.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39805 (GCVE-0-2025-39805)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
net: macb: fix unregister_netdev call order in macb_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix unregister_netdev call order in macb_remove()
When removing a macb device, the driver calls phy_exit() before
unregister_netdev(). This leads to a WARN from kernfs:
------------[ cut here ]------------
kernfs: can not remove 'attached_dev', no directory
WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683
Call trace:
kernfs_remove_by_name_ns+0xd8/0xf0
sysfs_remove_link+0x24/0x58
phy_detach+0x5c/0x168
phy_disconnect+0x4c/0x70
phylink_disconnect_phy+0x6c/0xc0 [phylink]
macb_close+0x6c/0x170 [macb]
...
macb_remove+0x60/0x168 [macb]
platform_remove+0x5c/0x80
...
The warning happens because the PHY is being exited while the netdev
is still registered. The correct order is to unregister the netdev
before shutting down the PHY and cleaning up the MDIO bus.
Fix this by moving unregister_netdev() ahead of phy_exit() in
macb_remove().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8b73fa3ae02b2401960de41b0454c0321377b203 , < 7351782f2fc8ac31ced52e3d4e6fa120f819a7ab
(git)
Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 2b9719ccad38dffad7dbdd2f39896f723f9b9011 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < ff0d3bad32108b57265e5b48f15327549af771d3 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 775fe690fd4a3337ad2115de2adb41b227d4dae7 (git) Affected: 8b73fa3ae02b2401960de41b0454c0321377b203 , < 01b9128c5db1b470575d07b05b67ffa3cb02ebf1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7351782f2fc8ac31ced52e3d4e6fa120f819a7ab",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "2b9719ccad38dffad7dbdd2f39896f723f9b9011",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "ff0d3bad32108b57265e5b48f15327549af771d3",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "775fe690fd4a3337ad2115de2adb41b227d4dae7",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "01b9128c5db1b470575d07b05b67ffa3cb02ebf1",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix unregister_netdev call order in macb_remove()\n\nWhen removing a macb device, the driver calls phy_exit() before\nunregister_netdev(). This leads to a WARN from kernfs:\n\n ------------[ cut here ]------------\n kernfs: can not remove \u0027attached_dev\u0027, no directory\n WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683\n Call trace:\n kernfs_remove_by_name_ns+0xd8/0xf0\n sysfs_remove_link+0x24/0x58\n phy_detach+0x5c/0x168\n phy_disconnect+0x4c/0x70\n phylink_disconnect_phy+0x6c/0xc0 [phylink]\n macb_close+0x6c/0x170 [macb]\n ...\n macb_remove+0x60/0x168 [macb]\n platform_remove+0x5c/0x80\n ...\n\nThe warning happens because the PHY is being exited while the netdev\nis still registered. The correct order is to unregister the netdev\nbefore shutting down the PHY and cleaning up the MDIO bus.\n\nFix this by moving unregister_netdev() ahead of phy_exit() in\nmacb_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:34.541Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7351782f2fc8ac31ced52e3d4e6fa120f819a7ab"
},
{
"url": "https://git.kernel.org/stable/c/2b9719ccad38dffad7dbdd2f39896f723f9b9011"
},
{
"url": "https://git.kernel.org/stable/c/ff0d3bad32108b57265e5b48f15327549af771d3"
},
{
"url": "https://git.kernel.org/stable/c/775fe690fd4a3337ad2115de2adb41b227d4dae7"
},
{
"url": "https://git.kernel.org/stable/c/01b9128c5db1b470575d07b05b67ffa3cb02ebf1"
}
],
"title": "net: macb: fix unregister_netdev call order in macb_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39805",
"datePublished": "2025-09-16T13:00:06.731Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2025-12-06T21:38:34.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40164 (GCVE-0-2025-40164)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
usbnet: Fix using smp_processor_id() in preemptible code warnings
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix using smp_processor_id() in preemptible code warnings
Syzbot reported the following warning:
BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
__dev_set_mtu net/core/dev.c:9443 [inline]
netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
sock_do_ioctl+0x19d/0x280 net/socket.c:1204
sock_ioctl+0x42f/0x6a0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
For historical and portability reasons, the netif_rx() is usually
run in the softirq or interrupt context, this commit therefore add
local_bh_disable/enable() protection in the usbnet_resume_rx().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0134c7bff14bd50314a4f92b182850ddfc38e255",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "327cd4b68b4398b6c24f10eb2b2533ffbfc10185",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix using smp_processor_id() in preemptible code warnings\n\nSyzbot reported the following warning:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879\ncaller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\nCPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49\n usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\n usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708\n usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417\n __dev_set_mtu net/core/dev.c:9443 [inline]\n netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496\n netif_set_mtu+0xb0/0x160 net/core/dev.c:9520\n dev_set_mtu+0xae/0x170 net/core/dev_api.c:247\n dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572\n dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821\n sock_do_ioctl+0x19d/0x280 net/socket.c:1204\n sock_ioctl+0x42f/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFor historical and portability reasons, the netif_rx() is usually\nrun in the softirq or interrupt context, this commit therefore add\nlocal_bh_disable/enable() protection in the usbnet_resume_rx()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:17.212Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0134c7bff14bd50314a4f92b182850ddfc38e255"
},
{
"url": "https://git.kernel.org/stable/c/327cd4b68b4398b6c24f10eb2b2533ffbfc10185"
}
],
"title": "usbnet: Fix using smp_processor_id() in preemptible code warnings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40164",
"datePublished": "2025-11-12T10:26:23.482Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:17.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40064 (GCVE-0-2025-40064)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
smc: Fix use-after-free in __pnet_find_base_ndev().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix use-after-free in __pnet_find_base_ndev().
syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),
which was called during connect(). [0]
smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes
down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened
at __pnet_find_base_ndev() when the dev is first used.
This means dev had already been freed before acquiring RTNL in
pnet_find_base_ndev().
While dev is going away, dst->dev could be swapped with blackhole_netdev,
and the dev's refcnt by dst will be released.
We must hold dev's refcnt before calling smc_pnet_find_ism_resource().
Also, smc_pnet_find_roce_resource() has the same problem.
Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.
[0]:
BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609
CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]
smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]
smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154
smc_find_ism_device net/smc/af_smc.c:1030 [inline]
smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]
__smc_connect+0x372/0x1890 net/smc/af_smc.c:1545
smc_connect+0x877/0xd90 net/smc/af_smc.c:1715
__sys_connect_file net/socket.c:2086 [inline]
__sys_connect+0x313/0x440 net/socket.c:2105
__do_sys_connect net/socket.c:2111 [inline]
__se_sys_connect net/socket.c:2108 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2108
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47cbf8eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9
RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b
RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000
raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317
__kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348
__do_kmalloc_node mm/slub.c:4364 [inline]
__kvmalloc_node
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_pnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "233927b645cb7a14bb98d23ac72e4c7243a9f0d9",
"status": "affected",
"version": "0afff91c6f5ecef27715ea71e34dc2baacba1060",
"versionType": "git"
},
{
"lessThan": "3d3466878afd8d43ec0ca2facfbc7f03e40d0f79",
"status": "affected",
"version": "0afff91c6f5ecef27715ea71e34dc2baacba1060",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_pnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in __pnet_find_base_ndev().\n\nsyzbot reported use-after-free of net_device in __pnet_find_base_ndev(),\nwhich was called during connect(). [0]\n\nsmc_pnet_find_ism_resource() fetches sk_dst_get(sk)-\u003edev and passes\ndown to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened\nat __pnet_find_base_ndev() when the dev is first used.\n\nThis means dev had already been freed before acquiring RTNL in\npnet_find_base_ndev().\n\nWhile dev is going away, dst-\u003edev could be swapped with blackhole_netdev,\nand the dev\u0027s refcnt by dst will be released.\n\nWe must hold dev\u0027s refcnt before calling smc_pnet_find_ism_resource().\n\nAlso, smc_pnet_find_roce_resource() has the same problem.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu() in the two functions.\n\n[0]:\nBUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\nRead of size 1 at addr ffff888036bac33a by task syz.0.3632/18609\n\nCPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\n pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]\n smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]\n smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154\n smc_find_ism_device net/smc/af_smc.c:1030 [inline]\n smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]\n __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545\n smc_connect+0x877/0xd90 net/smc/af_smc.c:1715\n __sys_connect_file net/socket.c:2086 [inline]\n __sys_connect+0x313/0x440 net/socket.c:2105\n __do_sys_connect net/socket.c:2111 [inline]\n __se_sys_connect net/socket.c:2108 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2108\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f47cbf8eba9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9\nRDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b\nRBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8\n \u003c/TASK\u003e\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000\nraw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851\n prep_new_page mm/page_alloc.c:1859 [inline]\n get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858\n __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148\n alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416\n ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317\n __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348\n __do_kmalloc_node mm/slub.c:4364 [inline]\n __kvmalloc_node\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:14.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/233927b645cb7a14bb98d23ac72e4c7243a9f0d9"
},
{
"url": "https://git.kernel.org/stable/c/3d3466878afd8d43ec0ca2facfbc7f03e40d0f79"
}
],
"title": "smc: Fix use-after-free in __pnet_find_base_ndev().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40064",
"datePublished": "2025-10-28T11:48:35.155Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:14.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40083 (GCVE-0-2025-40083)
Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
net/sched: sch_qfq: Fix null-deref in agg_dequeue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix null-deref in agg_dequeue
To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)
when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return
value before using it, similar to the existing approach in sch_hfsc.c.
To avoid code duplication, the following changes are made:
1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static
inline function.
2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to
include/net/pkt_sched.h so that sch_qfq can reuse it.
3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 71d84658a61322e5630c85c5388fc25e4a2d08b2
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 99fc137f178797204d36ac860dd8b31e35baa2df (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1bed56f089f09b465420bf23bb32985c305cfc28 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3c2a8994807623c7655ece205667ae2cf74940aa (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6ffa9d66187188e3068b5a3895e6ae1ee34f9199 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6ff8e74c8f8a68ec07ef837b95425dfe900d060f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd831ac8221e691e9e918585b1003c7071df0379 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71d84658a61322e5630c85c5388fc25e4a2d08b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99fc137f178797204d36ac860dd8b31e35baa2df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bed56f089f09b465420bf23bb32985c305cfc28",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3c2a8994807623c7655ece205667ae2cf74940aa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ffa9d66187188e3068b5a3895e6ae1ee34f9199",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ff8e74c8f8a68ec07ef837b95425dfe900d060f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd831ac8221e691e9e918585b1003c7071df0379",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.116",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.116",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix null-deref in agg_dequeue\n\nTo prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)\nwhen cl-\u003eqdisc-\u003eops-\u003epeek(cl-\u003eqdisc) returns NULL, we check the return\nvalue before using it, similar to the existing approach in sch_hfsc.c.\n\nTo avoid code duplication, the following changes are made:\n\n1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static\ninline function.\n\n2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to\ninclude/net/pkt_sched.h so that sch_qfq can reuse it.\n\n3. Applied qdisc_peek_len in agg_dequeue to avoid crashing."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:40.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71d84658a61322e5630c85c5388fc25e4a2d08b2"
},
{
"url": "https://git.kernel.org/stable/c/99fc137f178797204d36ac860dd8b31e35baa2df"
},
{
"url": "https://git.kernel.org/stable/c/1bed56f089f09b465420bf23bb32985c305cfc28"
},
{
"url": "https://git.kernel.org/stable/c/3c2a8994807623c7655ece205667ae2cf74940aa"
},
{
"url": "https://git.kernel.org/stable/c/6ffa9d66187188e3068b5a3895e6ae1ee34f9199"
},
{
"url": "https://git.kernel.org/stable/c/6ff8e74c8f8a68ec07ef837b95425dfe900d060f"
},
{
"url": "https://git.kernel.org/stable/c/dd831ac8221e691e9e918585b1003c7071df0379"
}
],
"title": "net/sched: sch_qfq: Fix null-deref in agg_dequeue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40083",
"datePublished": "2025-10-29T13:37:01.868Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-12-06T21:38:40.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39967 (GCVE-0-2025-39967)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
fbcon: fix integer overflow in fbcon_do_set_font
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: fix integer overflow in fbcon_do_set_font
Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.
The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
overflows during font data copying.
Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
96e41fc29e8af5c5085fb8a79cab8d0d00bab86c , < 994bdc2d23c79087fbf7dcd9544454e8ebcef877
(git)
Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < 9c8ec14075c5317edd6b242f1be8167aa1e4e333 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < b8a6e85328aeb9881531dbe89bcd2637a06c3c95 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < a6eb9f423b3db000aaedf83367b8539f6b72dcfc (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < adac90bb1aaf45ca66f9db8ac100be16750ace78 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < 4a4bac869560f943edbe3c2b032062f6673b13d3 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7 (git) Affected: 39b3cffb8cf3111738ea993e2757ab382253d86a , < 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe (git) Affected: ae021a904ac82d9fc81c25329d3c465c5a7d5686 (git) Affected: 451bffa366f2cc0e5314807cb847f31c0226efed (git) Affected: 2c455e9c5865861f5ce09c5f596909495ed7657c (git) Affected: 72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e (git) Affected: 34cf1aff169dc6dedad8d79da7bf1b4de2773dbc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994bdc2d23c79087fbf7dcd9544454e8ebcef877",
"status": "affected",
"version": "96e41fc29e8af5c5085fb8a79cab8d0d00bab86c",
"versionType": "git"
},
{
"lessThan": "9c8ec14075c5317edd6b242f1be8167aa1e4e333",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "b8a6e85328aeb9881531dbe89bcd2637a06c3c95",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "a6eb9f423b3db000aaedf83367b8539f6b72dcfc",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "adac90bb1aaf45ca66f9db8ac100be16750ace78",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "4a4bac869560f943edbe3c2b032062f6673b13d3",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"status": "affected",
"version": "ae021a904ac82d9fc81c25329d3c465c5a7d5686",
"versionType": "git"
},
{
"status": "affected",
"version": "451bffa366f2cc0e5314807cb847f31c0226efed",
"versionType": "git"
},
{
"status": "affected",
"version": "2c455e9c5865861f5ce09c5f596909495ed7657c",
"versionType": "git"
},
{
"status": "affected",
"version": "72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e",
"versionType": "git"
},
{
"status": "affected",
"version": "34cf1aff169dc6dedad8d79da7bf1b4de2773dbc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: fix integer overflow in fbcon_do_set_font\n\nFix integer overflow vulnerabilities in fbcon_do_set_font() where font\nsize calculations could overflow when handling user-controlled font\nparameters.\n\nThe vulnerabilities occur when:\n1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount\n multiplication with user-controlled values that can overflow.\n2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow\n3. This results in smaller allocations than expected, leading to buffer\n overflows during font data copying.\n\nAdd explicit overflow checking using check_mul_overflow() and\ncheck_add_overflow() kernel helpers to safety validate all size\ncalculations before allocation."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:51.554Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994bdc2d23c79087fbf7dcd9544454e8ebcef877"
},
{
"url": "https://git.kernel.org/stable/c/9c8ec14075c5317edd6b242f1be8167aa1e4e333"
},
{
"url": "https://git.kernel.org/stable/c/b8a6e85328aeb9881531dbe89bcd2637a06c3c95"
},
{
"url": "https://git.kernel.org/stable/c/a6eb9f423b3db000aaedf83367b8539f6b72dcfc"
},
{
"url": "https://git.kernel.org/stable/c/adac90bb1aaf45ca66f9db8ac100be16750ace78"
},
{
"url": "https://git.kernel.org/stable/c/4a4bac869560f943edbe3c2b032062f6673b13d3"
},
{
"url": "https://git.kernel.org/stable/c/c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7"
},
{
"url": "https://git.kernel.org/stable/c/1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe"
}
],
"title": "fbcon: fix integer overflow in fbcon_do_set_font",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39967",
"datePublished": "2025-10-15T07:55:51.554Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:51.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40080 (GCVE-0-2025-40080)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
nbd: restrict sockets to TCP and UDP
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: restrict sockets to TCP and UDP
Recently, syzbot started to abuse NBD with all kinds of sockets.
Commit cf1b2326b734 ("nbd: verify socket is supported during setup")
made sure the socket supported a shutdown() method.
Explicitely accept TCP and UNIX stream sockets.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cf1b2326b734896734c6e167e41766f9cee7686a , < c365e8f20f4201d873a70385bd919f0fb531e960
(git)
Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7 (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 37ad11f20e164c23ce827dd455b42c0fdd29685c (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 808e2335bc1cf2293b9e36ccc94c267c81509c71 (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 9f7c02e031570e8291a63162c6c046dc15ff85b0 (git) Affected: 4df728651b8a99693c69962d8e5a5b9e5a3bbcc7 (git) Affected: 083322455c67d278c56a66b73f1221f004ee600a (git) Affected: 4fa1cbd587ef967812f9d9f6ce46ec1dead7502c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c365e8f20f4201d873a70385bd919f0fb531e960",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "37ad11f20e164c23ce827dd455b42c0fdd29685c",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "808e2335bc1cf2293b9e36ccc94c267c81509c71",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "9f7c02e031570e8291a63162c6c046dc15ff85b0",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"status": "affected",
"version": "4df728651b8a99693c69962d8e5a5b9e5a3bbcc7",
"versionType": "git"
},
{
"status": "affected",
"version": "083322455c67d278c56a66b73f1221f004ee600a",
"versionType": "git"
},
{
"status": "affected",
"version": "4fa1cbd587ef967812f9d9f6ce46ec1dead7502c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: restrict sockets to TCP and UDP\n\nRecently, syzbot started to abuse NBD with all kinds of sockets.\n\nCommit cf1b2326b734 (\"nbd: verify socket is supported during setup\")\nmade sure the socket supported a shutdown() method.\n\nExplicitely accept TCP and UNIX stream sockets."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:37.510Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c365e8f20f4201d873a70385bd919f0fb531e960"
},
{
"url": "https://git.kernel.org/stable/c/4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7"
},
{
"url": "https://git.kernel.org/stable/c/37ad11f20e164c23ce827dd455b42c0fdd29685c"
},
{
"url": "https://git.kernel.org/stable/c/808e2335bc1cf2293b9e36ccc94c267c81509c71"
},
{
"url": "https://git.kernel.org/stable/c/9f7c02e031570e8291a63162c6c046dc15ff85b0"
}
],
"title": "nbd: restrict sockets to TCP and UDP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40080",
"datePublished": "2025-10-28T11:48:44.796Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-01T06:17:37.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39788 (GCVE-0-2025-39788)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:56 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
and in this case the driver ends up programming the UTRL_NEXUS_TYPE
incorrectly as 0.
This is because the left hand side of the shift is 1, which is of type
int, i.e. 31 bits wide. Shifting by more than that width results in
undefined behaviour.
Fix this by switching to the BIT() macro, which applies correct type
casting as required. This ensures the correct value is written to
UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
warning:
UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
shift exponent 32 is too large for 32-bit type 'int'
For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
write.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55f4b1f73631a0817717fe6e98517de51b4c3527 , < 01510a9e8222f11cce064410f3c2fcf0756c0a08
(git)
Affected: 55f4b1f73631a0817717fe6e98517de51b4c3527 , < 098b2c8ee208c77126839047b9e6e1925bb35baa (git) Affected: 55f4b1f73631a0817717fe6e98517de51b4c3527 , < c1f025da8f370a015e412b55cbcc583f91de8316 (git) Affected: 55f4b1f73631a0817717fe6e98517de51b4c3527 , < 6d53b2a134da77eb7fe65c5c7c7a3c193539a78a (git) Affected: 55f4b1f73631a0817717fe6e98517de51b4c3527 , < dc8fb963742f1a38d284946638f9358bdaa0ddee (git) Affected: 55f4b1f73631a0817717fe6e98517de51b4c3527 , < 5b9f1ef293428ea9c0871d96fcec2a87c4445832 (git) Affected: 55f4b1f73631a0817717fe6e98517de51b4c3527 , < 01aad16c2257ab8ff33b152b972c9f2e1af47912 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:23.201Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/host/ufs-exynos.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01510a9e8222f11cce064410f3c2fcf0756c0a08",
"status": "affected",
"version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
"versionType": "git"
},
{
"lessThan": "098b2c8ee208c77126839047b9e6e1925bb35baa",
"status": "affected",
"version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
"versionType": "git"
},
{
"lessThan": "c1f025da8f370a015e412b55cbcc583f91de8316",
"status": "affected",
"version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
"versionType": "git"
},
{
"lessThan": "6d53b2a134da77eb7fe65c5c7c7a3c193539a78a",
"status": "affected",
"version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
"versionType": "git"
},
{
"lessThan": "dc8fb963742f1a38d284946638f9358bdaa0ddee",
"status": "affected",
"version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
"versionType": "git"
},
{
"lessThan": "5b9f1ef293428ea9c0871d96fcec2a87c4445832",
"status": "affected",
"version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
"versionType": "git"
},
{
"lessThan": "01aad16c2257ab8ff33b152b972c9f2e1af47912",
"status": "affected",
"version": "55f4b1f73631a0817717fe6e98517de51b4c3527",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/host/ufs-exynos.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\n\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\nincorrectly as 0.\n\nThis is because the left hand side of the shift is 1, which is of type\nint, i.e. 31 bits wide. Shifting by more than that width results in\nundefined behaviour.\n\nFix this by switching to the BIT() macro, which applies correct type\ncasting as required. This ensures the correct value is written to\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\nwarning:\n\n UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\n shift exponent 32 is too large for 32-bit type \u0027int\u0027\n\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\nwrite."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:25.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01510a9e8222f11cce064410f3c2fcf0756c0a08"
},
{
"url": "https://git.kernel.org/stable/c/098b2c8ee208c77126839047b9e6e1925bb35baa"
},
{
"url": "https://git.kernel.org/stable/c/c1f025da8f370a015e412b55cbcc583f91de8316"
},
{
"url": "https://git.kernel.org/stable/c/6d53b2a134da77eb7fe65c5c7c7a3c193539a78a"
},
{
"url": "https://git.kernel.org/stable/c/dc8fb963742f1a38d284946638f9358bdaa0ddee"
},
{
"url": "https://git.kernel.org/stable/c/5b9f1ef293428ea9c0871d96fcec2a87c4445832"
},
{
"url": "https://git.kernel.org/stable/c/01aad16c2257ab8ff33b152b972c9f2e1af47912"
}
],
"title": "scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39788",
"datePublished": "2025-09-11T16:56:37.173Z",
"dateReserved": "2025-04-16T07:20:57.131Z",
"dateUpdated": "2025-11-03T17:43:23.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39944 (GCVE-0-2025-39944)
Vulnerability from cvelistv5 – Published: 2025-10-04 07:31 – Updated: 2025-10-04 07:31
VLAI?
EPSS
Title
octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()
The original code relies on cancel_delayed_work() in otx2_ptp_destroy(),
which does not ensure that the delayed work item synctstamp_work has fully
completed if it was already running. This leads to use-after-free scenarios
where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work
remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().
Furthermore, the synctstamp_work is cyclic, the likelihood of triggering
the bug is nonnegligible.
A typical race condition is illustrated below:
CPU 0 (cleanup) | CPU 1 (delayed work callback)
otx2_remove() |
otx2_ptp_destroy() | otx2_sync_tstamp()
cancel_delayed_work() |
kfree(ptp) |
| ptp = container_of(...); //UAF
| ptp-> //UAF
This is confirmed by a KASAN report:
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff88800aa09a18 by task bash/136
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? __pfx___run_timer_base.part.0+0x10/0x10
? __pfx_read_tsc+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
run_timer_softirq+0xd1/0x190
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 1:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
otx2_ptp_init+0xb1/0x860
otx2_probe+0x4eb/0xc30
local_pci_probe+0xdc/0x190
pci_device_probe+0x2fe/0x470
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__driver_attach+0xd2/0x310
bus_for_each_dev+0xed/0x170
bus_add_driver+0x208/0x500
driver_register+0x132/0x460
do_one_initcall+0x89/0x300
kernel_init_freeable+0x40d/0x720
kernel_init+0x1a/0x150
ret_from_fork+0x10c/0x1a0
ret_from_fork_asm+0x1a/0x30
Freed by task 136:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
otx2_ptp_destroy+0x38/0x80
otx2_remove+0x10d/0x4c0
pci_device_remove+0xa6/0x1d0
device_release_driver_internal+0xf8/0x210
pci_stop_bus_device+0x105/0x150
pci_stop_and_remove_bus_device_locked+0x15/0x30
remove_store+0xcc/0xe0
kernfs_fop_write_iter+0x2c3/0x440
vfs_write+0x871/0xd70
ksys_write+0xee/0x1c0
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled before the otx2_ptp is
deallocated.
This bug was initially identified through static analysis. To reproduce
and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced
artificial delays within the otx2_sync_tstamp() function to increase the
likelihood of triggering the bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2958d17a898416c6193431676f6130b68a2cb9fc , < 2786879aebf363806a13d41e8d5f99202ddd23d9
(git)
Affected: 2958d17a898416c6193431676f6130b68a2cb9fc , < d2cfefa14ce8137b17f99683f968bebf134b6a48 (git) Affected: 2958d17a898416c6193431676f6130b68a2cb9fc , < ff27e23b311fed4d25e3852e27ba693416d4c7b3 (git) Affected: 2958d17a898416c6193431676f6130b68a2cb9fc , < 5ca20bb7b4bde72110c3ae78423cbfdd0157aa36 (git) Affected: 2958d17a898416c6193431676f6130b68a2cb9fc , < f8b4687151021db61841af983f1cb7be6915d4ef (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2786879aebf363806a13d41e8d5f99202ddd23d9",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
},
{
"lessThan": "d2cfefa14ce8137b17f99683f968bebf134b6a48",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
},
{
"lessThan": "ff27e23b311fed4d25e3852e27ba693416d4c7b3",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
},
{
"lessThan": "5ca20bb7b4bde72110c3ae78423cbfdd0157aa36",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
},
{
"lessThan": "f8b4687151021db61841af983f1cb7be6915d4ef",
"status": "affected",
"version": "2958d17a898416c6193431676f6130b68a2cb9fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()\n\nThe original code relies on cancel_delayed_work() in otx2_ptp_destroy(),\nwhich does not ensure that the delayed work item synctstamp_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work\nremains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().\nFurthermore, the synctstamp_work is cyclic, the likelihood of triggering\nthe bug is nonnegligible.\n\nA typical race condition is illustrated below:\n\nCPU 0 (cleanup) | CPU 1 (delayed work callback)\notx2_remove() |\n otx2_ptp_destroy() | otx2_sync_tstamp()\n cancel_delayed_work() |\n kfree(ptp) |\n | ptp = container_of(...); //UAF\n | ptp-\u003e //UAF\n\nThis is confirmed by a KASAN report:\n\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff88800aa09a18 by task bash/136\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n otx2_ptp_init+0xb1/0x860\n otx2_probe+0x4eb/0xc30\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 136:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n otx2_ptp_destroy+0x38/0x80\n otx2_remove+0x10d/0x4c0\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled before the otx2_ptp is\ndeallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the OcteonTX2 PCI device in QEMU and introduced\nartificial delays within the otx2_sync_tstamp() function to increase the\nlikelihood of triggering the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:06.339Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2786879aebf363806a13d41e8d5f99202ddd23d9"
},
{
"url": "https://git.kernel.org/stable/c/d2cfefa14ce8137b17f99683f968bebf134b6a48"
},
{
"url": "https://git.kernel.org/stable/c/ff27e23b311fed4d25e3852e27ba693416d4c7b3"
},
{
"url": "https://git.kernel.org/stable/c/5ca20bb7b4bde72110c3ae78423cbfdd0157aa36"
},
{
"url": "https://git.kernel.org/stable/c/f8b4687151021db61841af983f1cb7be6915d4ef"
}
],
"title": "octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39944",
"datePublished": "2025-10-04T07:31:06.339Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:06.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50569 (GCVE-0-2022-50569)
Vulnerability from cvelistv5 – Published: 2025-10-22 13:23 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
xfrm: Update ipcomp_scratches with NULL when freed
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Update ipcomp_scratches with NULL when freed
Currently if ipcomp_alloc_scratches() fails to allocate memory
ipcomp_scratches holds obsolete address. So when we try to free the
percpu scratches using ipcomp_free_scratches() it tries to vfree non
existent vm area. Described below:
static void * __percpu *ipcomp_alloc_scratches(void)
{
...
scratches = alloc_percpu(void *);
if (!scratches)
return NULL;
ipcomp_scratches does not know about this allocation failure.
Therefore holding the old obsolete address.
...
}
So when we free,
static void ipcomp_free_scratches(void)
{
...
scratches = ipcomp_scratches;
Assigning obsolete address from ipcomp_scratches
if (!scratches)
return;
for_each_possible_cpu(i)
vfree(*per_cpu_ptr(scratches, i));
Trying to free non existent page, causing warning: trying to vfree
existent vm area.
...
}
Fix this breakage by updating ipcomp_scrtches with NULL when scratches
is freed
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < debca61df6bc2f65e020656c9c5b878d6b38d30f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a39f456d62810c0efb43cead22f98d95b53e4b1a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1e8abde895b3ac6a368cbdb372e8800c49e73a28 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18373ed500f7cd53e24d9b0bd0f1c09d78dba87e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < be81c44242b20fc3bdcc73480ef8aaee56f5d0b6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 03155680191ef0f004b1d6a5714c5b8cd271ab61 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f3bdba4440d82e0da2b1bfc35d3836c8a8e00677 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2c19945ce8095d065df550e7fe350cd5cc40c6e6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8a04d2fc700f717104bfb95b0f6694e448a4537f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_ipcomp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "debca61df6bc2f65e020656c9c5b878d6b38d30f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a39f456d62810c0efb43cead22f98d95b53e4b1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1e8abde895b3ac6a368cbdb372e8800c49e73a28",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18373ed500f7cd53e24d9b0bd0f1c09d78dba87e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "be81c44242b20fc3bdcc73480ef8aaee56f5d0b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "03155680191ef0f004b1d6a5714c5b8cd271ab61",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3bdba4440d82e0da2b1bfc35d3836c8a8e00677",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c19945ce8095d065df550e7fe350cd5cc40c6e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a04d2fc700f717104bfb95b0f6694e448a4537f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_ipcomp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Update ipcomp_scratches with NULL when freed\n\nCurrently if ipcomp_alloc_scratches() fails to allocate memory\nipcomp_scratches holds obsolete address. So when we try to free the\npercpu scratches using ipcomp_free_scratches() it tries to vfree non\nexistent vm area. Described below:\n\nstatic void * __percpu *ipcomp_alloc_scratches(void)\n{\n ...\n scratches = alloc_percpu(void *);\n if (!scratches)\n return NULL;\nipcomp_scratches does not know about this allocation failure.\nTherefore holding the old obsolete address.\n ...\n}\n\nSo when we free,\n\nstatic void ipcomp_free_scratches(void)\n{\n ...\n scratches = ipcomp_scratches;\nAssigning obsolete address from ipcomp_scratches\n\n if (!scratches)\n return;\n\n for_each_possible_cpu(i)\n vfree(*per_cpu_ptr(scratches, i));\nTrying to free non existent page, causing warning: trying to vfree\nexistent vm area.\n ...\n}\n\nFix this breakage by updating ipcomp_scrtches with NULL when scratches\nis freed"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:04.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/debca61df6bc2f65e020656c9c5b878d6b38d30f"
},
{
"url": "https://git.kernel.org/stable/c/a39f456d62810c0efb43cead22f98d95b53e4b1a"
},
{
"url": "https://git.kernel.org/stable/c/1e8abde895b3ac6a368cbdb372e8800c49e73a28"
},
{
"url": "https://git.kernel.org/stable/c/18373ed500f7cd53e24d9b0bd0f1c09d78dba87e"
},
{
"url": "https://git.kernel.org/stable/c/be81c44242b20fc3bdcc73480ef8aaee56f5d0b6"
},
{
"url": "https://git.kernel.org/stable/c/03155680191ef0f004b1d6a5714c5b8cd271ab61"
},
{
"url": "https://git.kernel.org/stable/c/f3bdba4440d82e0da2b1bfc35d3836c8a8e00677"
},
{
"url": "https://git.kernel.org/stable/c/2c19945ce8095d065df550e7fe350cd5cc40c6e6"
},
{
"url": "https://git.kernel.org/stable/c/8a04d2fc700f717104bfb95b0f6694e448a4537f"
}
],
"title": "xfrm: Update ipcomp_scratches with NULL when freed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50569",
"datePublished": "2025-10-22T13:23:25.810Z",
"dateReserved": "2025-10-22T13:20:23.760Z",
"dateUpdated": "2025-12-23T13:30:04.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40075 (GCVE-0-2025-40075)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-18 13:37
VLAI?
EPSS
Title
tcp_metrics: use dst_dev_net_rcu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp_metrics: use dst_dev_net_rcu()
Replace three dst_dev() with a lockdep enabled helper.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 4b89397807eb04986427c4786d065e9442834ad4
(git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 07613a95326ebad2d1b88d883cd72546025a4f3e (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 50c127a69cd6285300931853b352a1918cfa180f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b89397807eb04986427c4786d065e9442834ad4",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "07613a95326ebad2d1b88d883cd72546025a4f3e",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "50c127a69cd6285300931853b352a1918cfa180f",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: use dst_dev_net_rcu()\n\nReplace three dst_dev() with a lockdep enabled helper."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T13:37:18.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b89397807eb04986427c4786d065e9442834ad4"
},
{
"url": "https://git.kernel.org/stable/c/07613a95326ebad2d1b88d883cd72546025a4f3e"
},
{
"url": "https://git.kernel.org/stable/c/50c127a69cd6285300931853b352a1918cfa180f"
}
],
"title": "tcp_metrics: use dst_dev_net_rcu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40075",
"datePublished": "2025-10-28T11:48:41.791Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-18T13:37:18.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50364 (GCVE-0-2022-50364)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2025-09-17 14:56
VLAI?
EPSS
Title
i2c: mux: reg: check return value after calling platform_get_resource()
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: mux: reg: check return value after calling platform_get_resource()
It will cause null-ptr-deref in resource_size(), if platform_get_resource()
returns NULL, move calling resource_size() after devm_ioremap_resource() that
will check 'res' to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b3fdd32799d834e2626fae087906e886037350c6 , < 61df25c41b8e0d2c988ccf17139f70075a2e1ba4
(git)
Affected: b3fdd32799d834e2626fae087906e886037350c6 , < 8212800943997fab61874550278d653cb378c60c (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < f5049b3ad9446203b916ee375f30fa217735f63a (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < f7a440c89b6d460154efeb058272760e41bdfea8 (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < 2d47b79d2bd39cc6369eccf94a06568d84c906ae (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/muxes/i2c-mux-reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61df25c41b8e0d2c988ccf17139f70075a2e1ba4",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "8212800943997fab61874550278d653cb378c60c",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "f5049b3ad9446203b916ee375f30fa217735f63a",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "f7a440c89b6d460154efeb058272760e41bdfea8",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "2d47b79d2bd39cc6369eccf94a06568d84c906ae",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/muxes/i2c-mux-reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mux: reg: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref in resource_size(), if platform_get_resource()\nreturns NULL, move calling resource_size() after devm_ioremap_resource() that\nwill check \u0027res\u0027 to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:15.753Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61df25c41b8e0d2c988ccf17139f70075a2e1ba4"
},
{
"url": "https://git.kernel.org/stable/c/8212800943997fab61874550278d653cb378c60c"
},
{
"url": "https://git.kernel.org/stable/c/f5049b3ad9446203b916ee375f30fa217735f63a"
},
{
"url": "https://git.kernel.org/stable/c/f7a440c89b6d460154efeb058272760e41bdfea8"
},
{
"url": "https://git.kernel.org/stable/c/2d47b79d2bd39cc6369eccf94a06568d84c906ae"
}
],
"title": "i2c: mux: reg: check return value after calling platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50364",
"datePublished": "2025-09-17T14:56:15.753Z",
"dateReserved": "2025-09-17T14:53:06.994Z",
"dateUpdated": "2025-09-17T14:56:15.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39859 (GCVE-0-2025-39859)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-09-29 06:01
VLAI?
EPSS
Title
ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog
The ptp_ocp_detach() only shuts down the watchdog timer if it is
pending. However, if the timer handler is already running, the
timer_delete_sync() is not called. This leads to race conditions
where the devlink that contains the ptp_ocp is deallocated while
the timer handler is still accessing it, resulting in use-after-free
bugs. The following details one of the race scenarios.
(thread 1) | (thread 2)
ptp_ocp_remove() |
ptp_ocp_detach() | ptp_ocp_watchdog()
if (timer_pending(&bp->watchdog))| bp = timer_container_of()
timer_delete_sync() |
|
devlink_free(devlink) //free |
| bp-> //use
Resolve this by unconditionally calling timer_delete_sync() to ensure
the timer is reliably deactivated, preventing any access after free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ptp/ptp_ocp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f10d3c7267ac7387a5129d5506c3c5f2460cfd9b",
"status": "affected",
"version": "773bda96492153e11d21eb63ac814669b51fc701",
"versionType": "git"
},
{
"lessThan": "8bf935cf789872350b04c1a6468b0a509f67afb2",
"status": "affected",
"version": "773bda96492153e11d21eb63ac814669b51fc701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ptp/ptp_ocp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog\n\nThe ptp_ocp_detach() only shuts down the watchdog timer if it is\npending. However, if the timer handler is already running, the\ntimer_delete_sync() is not called. This leads to race conditions\nwhere the devlink that contains the ptp_ocp is deallocated while\nthe timer handler is still accessing it, resulting in use-after-free\nbugs. The following details one of the race scenarios.\n\n(thread 1) | (thread 2)\nptp_ocp_remove() |\n ptp_ocp_detach() | ptp_ocp_watchdog()\n if (timer_pending(\u0026bp-\u003ewatchdog))| bp = timer_container_of()\n timer_delete_sync() |\n |\n devlink_free(devlink) //free |\n | bp-\u003e //use\n\nResolve this by unconditionally calling timer_delete_sync() to ensure\nthe timer is reliably deactivated, preventing any access after free."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:13.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f10d3c7267ac7387a5129d5506c3c5f2460cfd9b"
},
{
"url": "https://git.kernel.org/stable/c/8bf935cf789872350b04c1a6468b0a509f67afb2"
}
],
"title": "ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39859",
"datePublished": "2025-09-19T15:26:29.717Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-09-29T06:01:13.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40110 (GCVE-0-2025-40110)
Vulnerability from cvelistv5 – Published: 2025-11-12 01:07 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Check that the resource which is converted to a surface exists before
trying to use the cursor snooper on it.
vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers
because some svga commands accept SVGA3D_INVALID_ID to mean "no surface",
unfortunately functions that accept the actual surfaces as objects might
(and in case of the cursor snooper, do not) be able to handle null
objects. Make sure that we validate not only the identifier (via the
vmw_cmd_res_check) but also check that the actual resource exists before
trying to do something with it.
Fixes unchecked null-ptr reference in the snooping code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 299cfb5a7deabdf9ecd30071755672af0aced5eb
(git)
Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 13c9e4ed125e19484234c960efe5ac9c55119523 (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < b6fca0a07989f361ceda27cb2d09c555d4d4a964 (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 5ac2c0279053a2c5265d46903432fb26ae2d0da2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "299cfb5a7deabdf9ecd30071755672af0aced5eb",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "13c9e4ed125e19484234c960efe5ac9c55119523",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "b6fca0a07989f361ceda27cb2d09c555d4d4a964",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "5ac2c0279053a2c5265d46903432fb26ae2d0da2",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a null-ptr access in the cursor snooper\n\nCheck that the resource which is converted to a surface exists before\ntrying to use the cursor snooper on it.\n\nvmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers\nbecause some svga commands accept SVGA3D_INVALID_ID to mean \"no surface\",\nunfortunately functions that accept the actual surfaces as objects might\n(and in case of the cursor snooper, do not) be able to handle null\nobjects. Make sure that we validate not only the identifier (via the\nvmw_cmd_res_check) but also check that the actual resource exists before\ntrying to do something with it.\n\nFixes unchecked null-ptr reference in the snooping code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:13.457Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/299cfb5a7deabdf9ecd30071755672af0aced5eb"
},
{
"url": "https://git.kernel.org/stable/c/13c9e4ed125e19484234c960efe5ac9c55119523"
},
{
"url": "https://git.kernel.org/stable/c/b6fca0a07989f361ceda27cb2d09c555d4d4a964"
},
{
"url": "https://git.kernel.org/stable/c/5ac2c0279053a2c5265d46903432fb26ae2d0da2"
}
],
"title": "drm/vmwgfx: Fix a null-ptr access in the cursor snooper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40110",
"datePublished": "2025-11-12T01:07:24.739Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:13.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40038 (GCVE-0-2025-40038)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid
Skip the WRMSR and HLT fastpaths in SVM's VM-Exit handler if the next RIP
isn't valid, e.g. because KVM is running with nrips=false. SVM must
decode and emulate to skip the instruction if the CPU doesn't provide the
next RIP, and getting the instruction bytes to decode requires reading
guest memory. Reading guest memory through the emulator can fault, i.e.
can sleep, which is disallowed since the fastpath handlers run with IRQs
disabled.
BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu
preempt_count: 1, expected: 0
INFO: lockdep is turned off.
irq event stamp: 30580
hardirqs last enabled at (30579): [<ffffffffc08b2527>] vcpu_run+0x1787/0x1db0 [kvm]
hardirqs last disabled at (30580): [<ffffffffb4f62e32>] __schedule+0x1e2/0xed0
softirqs last enabled at (30570): [<ffffffffb4247a64>] fpu_swap_kvm_fpstate+0x44/0x210
softirqs last disabled at (30568): [<ffffffffb4247a64>] fpu_swap_kvm_fpstate+0x44/0x210
CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE
Tainted: [U]=USER
Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025
Call Trace:
<TASK>
dump_stack_lvl+0x7d/0xb0
__might_resched+0x271/0x290
__might_fault+0x28/0x80
kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm]
kvm_fetch_guest_virt+0x92/0xc0 [kvm]
__do_insn_fetch_bytes+0xf3/0x1e0 [kvm]
x86_decode_insn+0xd1/0x1010 [kvm]
x86_emulate_instruction+0x105/0x810 [kvm]
__svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd]
handle_fastpath_invd+0xc4/0x1a0 [kvm]
vcpu_run+0x11a1/0x1db0 [kvm]
kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm]
kvm_vcpu_ioctl+0x578/0x6a0 [kvm]
__se_sys_ioctl+0x6d/0xb0
do_syscall_64+0x8a/0x2c0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f479d57a94b
</TASK>
Note, this is essentially a reapply of commit 5c30e8101e8d ("KVM: SVM:
Skip WRMSR fastpath on VM-Exit if next RIP isn't valid"), but with
different justification (KVM now grabs SRCU when skipping the instruction
for other reasons).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b439eb8ab578557263815ba8581d02c1b730e348 , < cd3efb93677c4b0cf76348882fb429165fee33fd
(git)
Affected: b439eb8ab578557263815ba8581d02c1b730e348 , < f994e9c790ce97d3cf01af4d0a1b9add0c955aee (git) Affected: b439eb8ab578557263815ba8581d02c1b730e348 , < da2a3c231f7f2a5ac146d972b8c1d7d84aff6d70 (git) Affected: b439eb8ab578557263815ba8581d02c1b730e348 , < 0910dd7c9ad45a2605c45fd2bf3d1bcac087687c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd3efb93677c4b0cf76348882fb429165fee33fd",
"status": "affected",
"version": "b439eb8ab578557263815ba8581d02c1b730e348",
"versionType": "git"
},
{
"lessThan": "f994e9c790ce97d3cf01af4d0a1b9add0c955aee",
"status": "affected",
"version": "b439eb8ab578557263815ba8581d02c1b730e348",
"versionType": "git"
},
{
"lessThan": "da2a3c231f7f2a5ac146d972b8c1d7d84aff6d70",
"status": "affected",
"version": "b439eb8ab578557263815ba8581d02c1b730e348",
"versionType": "git"
},
{
"lessThan": "0910dd7c9ad45a2605c45fd2bf3d1bcac087687c",
"status": "affected",
"version": "b439eb8ab578557263815ba8581d02c1b730e348",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn\u0027t valid\n\nSkip the WRMSR and HLT fastpaths in SVM\u0027s VM-Exit handler if the next RIP\nisn\u0027t valid, e.g. because KVM is running with nrips=false. SVM must\ndecode and emulate to skip the instruction if the CPU doesn\u0027t provide the\nnext RIP, and getting the instruction bytes to decode requires reading\nguest memory. Reading guest memory through the emulator can fault, i.e.\ncan sleep, which is disallowed since the fastpath handlers run with IRQs\ndisabled.\n\n BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106\n in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu\n preempt_count: 1, expected: 0\n INFO: lockdep is turned off.\n irq event stamp: 30580\n hardirqs last enabled at (30579): [\u003cffffffffc08b2527\u003e] vcpu_run+0x1787/0x1db0 [kvm]\n hardirqs last disabled at (30580): [\u003cffffffffb4f62e32\u003e] __schedule+0x1e2/0xed0\n softirqs last enabled at (30570): [\u003cffffffffb4247a64\u003e] fpu_swap_kvm_fpstate+0x44/0x210\n softirqs last disabled at (30568): [\u003cffffffffb4247a64\u003e] fpu_swap_kvm_fpstate+0x44/0x210\n CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE\n Tainted: [U]=USER\n Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x7d/0xb0\n __might_resched+0x271/0x290\n __might_fault+0x28/0x80\n kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm]\n kvm_fetch_guest_virt+0x92/0xc0 [kvm]\n __do_insn_fetch_bytes+0xf3/0x1e0 [kvm]\n x86_decode_insn+0xd1/0x1010 [kvm]\n x86_emulate_instruction+0x105/0x810 [kvm]\n __svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd]\n handle_fastpath_invd+0xc4/0x1a0 [kvm]\n vcpu_run+0x11a1/0x1db0 [kvm]\n kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm]\n kvm_vcpu_ioctl+0x578/0x6a0 [kvm]\n __se_sys_ioctl+0x6d/0xb0\n do_syscall_64+0x8a/0x2c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f479d57a94b\n \u003c/TASK\u003e\n\nNote, this is essentially a reapply of commit 5c30e8101e8d (\"KVM: SVM:\nSkip WRMSR fastpath on VM-Exit if next RIP isn\u0027t valid\"), but with\ndifferent justification (KVM now grabs SRCU when skipping the instruction\nfor other reasons)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:42.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd3efb93677c4b0cf76348882fb429165fee33fd"
},
{
"url": "https://git.kernel.org/stable/c/f994e9c790ce97d3cf01af4d0a1b9add0c955aee"
},
{
"url": "https://git.kernel.org/stable/c/da2a3c231f7f2a5ac146d972b8c1d7d84aff6d70"
},
{
"url": "https://git.kernel.org/stable/c/0910dd7c9ad45a2605c45fd2bf3d1bcac087687c"
}
],
"title": "KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn\u0027t valid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40038",
"datePublished": "2025-10-28T11:48:18.889Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:42.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38359 (GCVE-0-2025-38359)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:47 – Updated: 2025-07-28 04:19
VLAI?
EPSS
Title
s390/mm: Fix in_atomic() handling in do_secure_storage_access()
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/mm: Fix in_atomic() handling in do_secure_storage_access()
Kernel user spaces accesses to not exported pages in atomic context
incorrectly try to resolve the page fault.
With debug options enabled call traces like this can be seen:
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<00000383ea47cfa2>] copy_page_from_iter_atomic+0xa2/0x8a0
CPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39
Tainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPT
Tainted: [W]=WARN
Hardware name: IBM 3931 A01 703 (LPAR)
Call Trace:
[<00000383e990d282>] dump_stack_lvl+0xa2/0xe8
[<00000383e99bf152>] __might_resched+0x292/0x2d0
[<00000383eaa7c374>] down_read+0x34/0x2d0
[<00000383e99432f8>] do_secure_storage_access+0x108/0x360
[<00000383eaa724b0>] __do_pgm_check+0x130/0x220
[<00000383eaa842e4>] pgm_check_handler+0x114/0x160
[<00000383ea47d028>] copy_page_from_iter_atomic+0x128/0x8a0
([<00000383ea47d016>] copy_page_from_iter_atomic+0x116/0x8a0)
[<00000383e9c45eae>] generic_perform_write+0x16e/0x310
[<00000383e9eb87f4>] ext4_buffered_write_iter+0x84/0x160
[<00000383e9da0de4>] vfs_write+0x1c4/0x460
[<00000383e9da123c>] ksys_write+0x7c/0x100
[<00000383eaa7284e>] __do_syscall+0x15e/0x280
[<00000383eaa8417e>] system_call+0x6e/0x90
INFO: lockdep is turned off.
It is not allowed to take the mmap_lock while in atomic context. Therefore
handle such a secure storage access fault as if the accessed page is not
mapped: the uaccess function will return -EFAULT, and the caller has to
deal with this. Usually this means that the access is retried in process
context, which allows to resolve the page fault (or in this case export the
page).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/mm/fault.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2e317dfd2d1fe416c77315d17c5d57dbe374915",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11709abccf93b08adde95ef313c300b0d4bc28f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/mm/fault.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Fix in_atomic() handling in do_secure_storage_access()\n\nKernel user spaces accesses to not exported pages in atomic context\nincorrectly try to resolve the page fault.\nWith debug options enabled call traces like this can be seen:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39\npreempt_count: 1, expected: 0\nRCU nest depth: 0, expected: 0\nINFO: lockdep is turned off.\nPreemption disabled at:\n[\u003c00000383ea47cfa2\u003e] copy_page_from_iter_atomic+0xa2/0x8a0\nCPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39\nTainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPT\nTainted: [W]=WARN\nHardware name: IBM 3931 A01 703 (LPAR)\nCall Trace:\n [\u003c00000383e990d282\u003e] dump_stack_lvl+0xa2/0xe8\n [\u003c00000383e99bf152\u003e] __might_resched+0x292/0x2d0\n [\u003c00000383eaa7c374\u003e] down_read+0x34/0x2d0\n [\u003c00000383e99432f8\u003e] do_secure_storage_access+0x108/0x360\n [\u003c00000383eaa724b0\u003e] __do_pgm_check+0x130/0x220\n [\u003c00000383eaa842e4\u003e] pgm_check_handler+0x114/0x160\n [\u003c00000383ea47d028\u003e] copy_page_from_iter_atomic+0x128/0x8a0\n([\u003c00000383ea47d016\u003e] copy_page_from_iter_atomic+0x116/0x8a0)\n [\u003c00000383e9c45eae\u003e] generic_perform_write+0x16e/0x310\n [\u003c00000383e9eb87f4\u003e] ext4_buffered_write_iter+0x84/0x160\n [\u003c00000383e9da0de4\u003e] vfs_write+0x1c4/0x460\n [\u003c00000383e9da123c\u003e] ksys_write+0x7c/0x100\n [\u003c00000383eaa7284e\u003e] __do_syscall+0x15e/0x280\n [\u003c00000383eaa8417e\u003e] system_call+0x6e/0x90\nINFO: lockdep is turned off.\n\nIt is not allowed to take the mmap_lock while in atomic context. Therefore\nhandle such a secure storage access fault as if the accessed page is not\nmapped: the uaccess function will return -EFAULT, and the caller has to\ndeal with this. Usually this means that the access is retried in process\ncontext, which allows to resolve the page fault (or in this case export the\npage)."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:19:52.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2e317dfd2d1fe416c77315d17c5d57dbe374915"
},
{
"url": "https://git.kernel.org/stable/c/11709abccf93b08adde95ef313c300b0d4bc28f1"
}
],
"title": "s390/mm: Fix in_atomic() handling in do_secure_storage_access()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38359",
"datePublished": "2025-07-25T12:47:30.441Z",
"dateReserved": "2025-04-16T04:51:24.007Z",
"dateUpdated": "2025-07-28T04:19:52.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40188 (GCVE-0-2025-40188)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
pwm: berlin: Fix wrong register in suspend/resume
Summary
In the Linux kernel, the following vulnerability has been resolved:
pwm: berlin: Fix wrong register in suspend/resume
The 'enable' register should be BERLIN_PWM_EN rather than
BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there
will be cpu exception then kernel panic during suspend/resume.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bbf0722c1c663b08f612bd8c58af27f45aa84862 , < da3cadb8b0f35d845b3e2fbb7d978cf6473fd221
(git)
Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < 5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444 (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < 9ee5eb3d09217f115f63b7c102d110ccdb1b26af (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < fd017aabd4273216ed4223f17991fc087163771f (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < dc3a1c6237e7f8046e6d4109bcf1998452ccafad (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < d9457e6258750692c3b27f80880a613178053c25 (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < 6cef9e4425143b19742044c8a675335821fa1994 (git) Affected: bbf0722c1c663b08f612bd8c58af27f45aa84862 , < 3a4b9d027e4061766f618292df91760ea64a1fcc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-berlin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da3cadb8b0f35d845b3e2fbb7d978cf6473fd221",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "9ee5eb3d09217f115f63b7c102d110ccdb1b26af",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "fd017aabd4273216ed4223f17991fc087163771f",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "dc3a1c6237e7f8046e6d4109bcf1998452ccafad",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "d9457e6258750692c3b27f80880a613178053c25",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "6cef9e4425143b19742044c8a675335821fa1994",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "3a4b9d027e4061766f618292df91760ea64a1fcc",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-berlin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: berlin: Fix wrong register in suspend/resume\n\nThe \u0027enable\u0027 register should be BERLIN_PWM_EN rather than\nBERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there\nwill be cpu exception then kernel panic during suspend/resume."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:46.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da3cadb8b0f35d845b3e2fbb7d978cf6473fd221"
},
{
"url": "https://git.kernel.org/stable/c/5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444"
},
{
"url": "https://git.kernel.org/stable/c/9ee5eb3d09217f115f63b7c102d110ccdb1b26af"
},
{
"url": "https://git.kernel.org/stable/c/fd017aabd4273216ed4223f17991fc087163771f"
},
{
"url": "https://git.kernel.org/stable/c/dc3a1c6237e7f8046e6d4109bcf1998452ccafad"
},
{
"url": "https://git.kernel.org/stable/c/d9457e6258750692c3b27f80880a613178053c25"
},
{
"url": "https://git.kernel.org/stable/c/6cef9e4425143b19742044c8a675335821fa1994"
},
{
"url": "https://git.kernel.org/stable/c/3a4b9d027e4061766f618292df91760ea64a1fcc"
}
],
"title": "pwm: berlin: Fix wrong register in suspend/resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40188",
"datePublished": "2025-11-12T21:56:30.108Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:46.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40120 (GCVE-0-2025-40120)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
Prevent USB runtime PM (autosuspend) for AX88772* in bind.
usbnet enables runtime PM (autosuspend) by default, so disabling it via
the usb_driver flag is ineffective. On AX88772B, autosuspend shows no
measurable power saving with current driver (no link partner, admin
up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering
the PHY off on admin-down, not from USB autosuspend.
The real hazard is that with runtime PM enabled, ndo_open() (under RTNL)
may synchronously trigger autoresume (usb_autopm_get_interface()) into
asix_resume() while the USB PM lock is held. Resume paths then invoke
phylink/phylib and MDIO, which also expect RTNL, leading to possible
deadlocks or PM lock vs MDIO wake issues.
To avoid this, keep the device runtime-PM active by taking a usage
reference in ax88772_bind() and dropping it in unbind(). A non-zero PM
usage count blocks runtime suspend regardless of userspace policy
(.../power/control - pm_runtime_allow/forbid), making this approach
robust against sysfs overrides.
Holding a runtime-PM usage ref does not affect system-wide suspend;
system sleep/resume callbacks continue to run as before.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 71a0ba7fdaf8d035426912a4ed7bf1738a81010c
(git)
Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 3e96cd27ff1a004d84908c1b6cc68ac60913874e (git) Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 724a9db84188f80ef60b1f21cc7b4e9c84e0cb64 (git) Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 1534517300e12f2930b6ff477b8820ff658afd11 (git) Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4 (git) Affected: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 , < 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71a0ba7fdaf8d035426912a4ed7bf1738a81010c",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "3e96cd27ff1a004d84908c1b6cc68ac60913874e",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "724a9db84188f80ef60b1f21cc7b4e9c84e0cb64",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "1534517300e12f2930b6ff477b8820ff658afd11",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "3d3c4cd5c62f24bb3cb4511b7a95df707635e00a",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock\n\nPrevent USB runtime PM (autosuspend) for AX88772* in bind.\n\nusbnet enables runtime PM (autosuspend) by default, so disabling it via\nthe usb_driver flag is ineffective. On AX88772B, autosuspend shows no\nmeasurable power saving with current driver (no link partner, admin\nup/down). The ~0.453 W -\u003e ~0.248 W drop on v6.1 comes from phylib powering\nthe PHY off on admin-down, not from USB autosuspend.\n\nThe real hazard is that with runtime PM enabled, ndo_open() (under RTNL)\nmay synchronously trigger autoresume (usb_autopm_get_interface()) into\nasix_resume() while the USB PM lock is held. Resume paths then invoke\nphylink/phylib and MDIO, which also expect RTNL, leading to possible\ndeadlocks or PM lock vs MDIO wake issues.\n\nTo avoid this, keep the device runtime-PM active by taking a usage\nreference in ax88772_bind() and dropping it in unbind(). A non-zero PM\nusage count blocks runtime suspend regardless of userspace policy\n(.../power/control - pm_runtime_allow/forbid), making this approach\nrobust against sysfs overrides.\n\nHolding a runtime-PM usage ref does not affect system-wide suspend;\nsystem sleep/resume callbacks continue to run as before."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:24.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71a0ba7fdaf8d035426912a4ed7bf1738a81010c"
},
{
"url": "https://git.kernel.org/stable/c/3e96cd27ff1a004d84908c1b6cc68ac60913874e"
},
{
"url": "https://git.kernel.org/stable/c/724a9db84188f80ef60b1f21cc7b4e9c84e0cb64"
},
{
"url": "https://git.kernel.org/stable/c/1534517300e12f2930b6ff477b8820ff658afd11"
},
{
"url": "https://git.kernel.org/stable/c/9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4"
},
{
"url": "https://git.kernel.org/stable/c/3d3c4cd5c62f24bb3cb4511b7a95df707635e00a"
}
],
"title": "net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40120",
"datePublished": "2025-11-12T10:23:18.726Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:24.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40141 (GCVE-0-2025-40141)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
Bluetooth: ISO: Fix possible UAF on iso_conn_free
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Fix possible UAF on iso_conn_free
This attempt to fix similar issue to sco_conn_free where if the
conn->sk is not set to NULL may lead to UAF on iso_conn_free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ccf74f2390d60a2f9a75ef496d2564abb478f46a , < eba6d787ec117a5d2c60f9644e0a39c18542b6be
(git)
Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 5319145a07d8bf5b0782b25cb3115825689d42bb (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 80689777919f02328eb873769de4647c9dd3e371 (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < c92ad1a155ccfa38b87bd1d998287e1c0a24248d (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eba6d787ec117a5d2c60f9644e0a39c18542b6be",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "5319145a07d8bf5b0782b25cb3115825689d42bb",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "80689777919f02328eb873769de4647c9dd3e371",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "c92ad1a155ccfa38b87bd1d998287e1c0a24248d",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix possible UAF on iso_conn_free\n\nThis attempt to fix similar issue to sco_conn_free where if the\nconn-\u003esk is not set to NULL may lead to UAF on iso_conn_free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:49.584Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eba6d787ec117a5d2c60f9644e0a39c18542b6be"
},
{
"url": "https://git.kernel.org/stable/c/5319145a07d8bf5b0782b25cb3115825689d42bb"
},
{
"url": "https://git.kernel.org/stable/c/80689777919f02328eb873769de4647c9dd3e371"
},
{
"url": "https://git.kernel.org/stable/c/c92ad1a155ccfa38b87bd1d998287e1c0a24248d"
},
{
"url": "https://git.kernel.org/stable/c/9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8"
}
],
"title": "Bluetooth: ISO: Fix possible UAF on iso_conn_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40141",
"datePublished": "2025-11-12T10:23:24.856Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:49.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40059 (GCVE-0-2025-40059)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
coresight: Fix incorrect handling for return value of devm_kzalloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: Fix incorrect handling for return value of devm_kzalloc
The return value of devm_kzalloc could be an null pointer,
use "!desc.pdata" to fix incorrect handling return value
of devm_kzalloc.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4277f035d227e829133df284be7e35b7236a5b0f , < 8c4e7e646d5d9050b374baf5c6bb3a00fb79e206
(git)
Affected: 4277f035d227e829133df284be7e35b7236a5b0f , < 9688b66d0a5e0eecf44f6286b8d9f7a161264035 (git) Affected: 4277f035d227e829133df284be7e35b7236a5b0f , < 70714eb7243eaf333d23501d4c7bdd9daf011c01 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c4e7e646d5d9050b374baf5c6bb3a00fb79e206",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
},
{
"lessThan": "9688b66d0a5e0eecf44f6286b8d9f7a161264035",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
},
{
"lessThan": "70714eb7243eaf333d23501d4c7bdd9daf011c01",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: Fix incorrect handling for return value of devm_kzalloc\n\nThe return value of devm_kzalloc could be an null pointer,\nuse \"!desc.pdata\" to fix incorrect handling return value\nof devm_kzalloc."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:08.310Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c4e7e646d5d9050b374baf5c6bb3a00fb79e206"
},
{
"url": "https://git.kernel.org/stable/c/9688b66d0a5e0eecf44f6286b8d9f7a161264035"
},
{
"url": "https://git.kernel.org/stable/c/70714eb7243eaf333d23501d4c7bdd9daf011c01"
}
],
"title": "coresight: Fix incorrect handling for return value of devm_kzalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40059",
"datePublished": "2025-10-28T11:48:32.186Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:08.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40127 (GCVE-0-2025-40127)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
hwrng: ks-sa - fix division by zero in ks_sa_rng_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: ks-sa - fix division by zero in ks_sa_rng_init
Fix division by zero in ks_sa_rng_init caused by missing clock
pointer initialization. The clk_get_rate() call is performed on
an uninitialized clk pointer, resulting in division by zero when
calculating delay values.
Add clock initialization code before using the clock.
drivers/char/hw_random/ks-sa-rng.c | 7 +++++++
1 file changed, 7 insertions(+)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < 692a04a1e0cde1d80a33df0078c755cf02cd7268
(git)
Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < d76b099011fa056950f63d05ebb6160991242f6a (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < eec7e0e19c1fa75dc65e25aa6a21ef24a03849af (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < f4238064379a91e71a9c258996acac43c50c2094 (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < 2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2 (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < 55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2 (git) Affected: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b , < 612b1dfeb414dfa780a6316014ceddf9a74ff5c0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/ks-sa-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "692a04a1e0cde1d80a33df0078c755cf02cd7268",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "d76b099011fa056950f63d05ebb6160991242f6a",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "eec7e0e19c1fa75dc65e25aa6a21ef24a03849af",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "f4238064379a91e71a9c258996acac43c50c2094",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "612b1dfeb414dfa780a6316014ceddf9a74ff5c0",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/ks-sa-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: ks-sa - fix division by zero in ks_sa_rng_init\n\nFix division by zero in ks_sa_rng_init caused by missing clock\npointer initialization. The clk_get_rate() call is performed on\nan uninitialized clk pointer, resulting in division by zero when\ncalculating delay values.\n\nAdd clock initialization code before using the clock.\n\n\n drivers/char/hw_random/ks-sa-rng.c | 7 +++++++\n 1 file changed, 7 insertions(+)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:33.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/692a04a1e0cde1d80a33df0078c755cf02cd7268"
},
{
"url": "https://git.kernel.org/stable/c/d76b099011fa056950f63d05ebb6160991242f6a"
},
{
"url": "https://git.kernel.org/stable/c/eec7e0e19c1fa75dc65e25aa6a21ef24a03849af"
},
{
"url": "https://git.kernel.org/stable/c/f4238064379a91e71a9c258996acac43c50c2094"
},
{
"url": "https://git.kernel.org/stable/c/2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2"
},
{
"url": "https://git.kernel.org/stable/c/55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2"
},
{
"url": "https://git.kernel.org/stable/c/612b1dfeb414dfa780a6316014ceddf9a74ff5c0"
}
],
"title": "hwrng: ks-sa - fix division by zero in ks_sa_rng_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40127",
"datePublished": "2025-11-12T10:23:20.775Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:33.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40115 (GCVE-0-2025-40115)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
During mpt3sas_transport_port_remove(), messages were logged with
dev_printk() against &mpt3sas_port->port->dev. At this point the SAS
transport device may already be partially unregistered or freed, leading
to a crash when accessing its struct device.
Using ioc_info(), which logs via the PCI device (ioc->pdev->dev),
guaranteed to remain valid until driver removal.
[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI
[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)
[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024
[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70
[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff
[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206
[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32
[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845
[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8
[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000
[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30
[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000
[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0
[83428.295844] PKRU: 55555554
[83428.295846] Call Trace:
[83428.295848] <TASK>
[83428.295850] _dev_printk+0x5c/0x80
[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]
[83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]
[83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]
[83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]
[83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]
[83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]
[83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]
[83428.295957] pci_device_remove+0x3b/0xb0
[83428.295962] device_release_driver_internal+0x193/0x200
[83428.295968] driver_detach+0x44/0x90
[83428.295971] bus_remove_driver+0x69/0xf0
[83428.295975] pci_unregister_driver+0x2a/0xb0
[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]
[83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310
[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296000] ? __x64_sys_getdents64+0x9a/0x110
[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296009] ? syscall_trace_enter+0xf6/0x1b0
[83428.296014] do_syscall_64+0x7b/0x2c0
[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f92363d12359498f9a9960511de1a550f0ec41c2 , < b3a6d153861d0f29b80882470d14aafb8d687dc2
(git)
Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 4e1442bae50ed633c2fe8058f47cd79b4ad88b9b (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < a89253eb4e648deace48a4e38996afd182eb95e3 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < fa153fb40c61f8ca01237427c97a0b93ba32c403 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 6459dba4f35017448535a799cf699d5205eb5489 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8 (git) Affected: f92363d12359498f9a9960511de1a550f0ec41c2 , < 1703fe4f8ae50d1fb6449854e1fcaed1053e3a14 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3a6d153861d0f29b80882470d14aafb8d687dc2",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "4e1442bae50ed633c2fe8058f47cd79b4ad88b9b",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "a89253eb4e648deace48a4e38996afd182eb95e3",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "fa153fb40c61f8ca01237427c97a0b93ba32c403",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "6459dba4f35017448535a799cf699d5205eb5489",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "1703fe4f8ae50d1fb6449854e1fcaed1053e3a14",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix crash in transport port remove by using ioc_info()\n\nDuring mpt3sas_transport_port_remove(), messages were logged with\ndev_printk() against \u0026mpt3sas_port-\u003eport-\u003edev. At this point the SAS\ntransport device may already be partially unregistered or freed, leading\nto a crash when accessing its struct device.\n\nUsing ioc_info(), which logs via the PCI device (ioc-\u003epdev-\u003edev),\nguaranteed to remain valid until driver removal.\n\n[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI\n[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)\n[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024\n[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70\n[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 \u003c48\u003e 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff\n[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206\n[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32\n[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845\n[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8\n[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000\n[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30\n[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000\n[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0\n[83428.295844] PKRU: 55555554\n[83428.295846] Call Trace:\n[83428.295848] \u003cTASK\u003e\n[83428.295850] _dev_printk+0x5c/0x80\n[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]\n[83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]\n[83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]\n[83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]\n[83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]\n[83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]\n[83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]\n[83428.295957] pci_device_remove+0x3b/0xb0\n[83428.295962] device_release_driver_internal+0x193/0x200\n[83428.295968] driver_detach+0x44/0x90\n[83428.295971] bus_remove_driver+0x69/0xf0\n[83428.295975] pci_unregister_driver+0x2a/0xb0\n[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]\n[83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310\n[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296000] ? __x64_sys_getdents64+0x9a/0x110\n[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296009] ? syscall_trace_enter+0xf6/0x1b0\n[83428.296014] do_syscall_64+0x7b/0x2c0\n[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:18.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3a6d153861d0f29b80882470d14aafb8d687dc2"
},
{
"url": "https://git.kernel.org/stable/c/4e1442bae50ed633c2fe8058f47cd79b4ad88b9b"
},
{
"url": "https://git.kernel.org/stable/c/a89253eb4e648deace48a4e38996afd182eb95e3"
},
{
"url": "https://git.kernel.org/stable/c/fa153fb40c61f8ca01237427c97a0b93ba32c403"
},
{
"url": "https://git.kernel.org/stable/c/6459dba4f35017448535a799cf699d5205eb5489"
},
{
"url": "https://git.kernel.org/stable/c/1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62"
},
{
"url": "https://git.kernel.org/stable/c/970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8"
},
{
"url": "https://git.kernel.org/stable/c/1703fe4f8ae50d1fb6449854e1fcaed1053e3a14"
}
],
"title": "scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40115",
"datePublished": "2025-11-12T10:23:17.283Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:18.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40183 (GCVE-0-2025-40183)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
Cilium has a BPF egress gateway feature which forces outgoing K8s Pod
traffic to pass through dedicated egress gateways which then SNAT the
traffic in order to interact with stable IPs outside the cluster.
The traffic is directed to the gateway via vxlan tunnel in collect md
mode. A recent BPF change utilized the bpf_redirect_neigh() helper to
forward packets after the arrival and decap on vxlan, which turned out
over time that the kmalloc-256 slab usage in kernel was ever-increasing.
The issue was that vxlan allocates the metadata_dst object and attaches
it through a fake dst entry to the skb. The latter was never released
though given bpf_redirect_neigh() was merely setting the new dst entry
via skb_dst_set() without dropping an existing one first.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b4ab31414970a7a03a5d55d75083f2c101a30592 , < 3fba965a9aac0fa3cbd8138436a37af9ab466d79
(git)
Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < 057764172fcc6ee2ccb6c41351a55a9f054dc8fd (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < 2e67c2037382abb56497bb9d7b7e10be04eb5598 (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < b6bfe44b6dbb14a31d86c475cdc9c7689534fb09 (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < f36a305d30f557306d87c787ddffe094ac5dac89 (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < 7404ce888a45eb7da0508b7cbbe6f2e95302eeb8 (git) Affected: b4ab31414970a7a03a5d55d75083f2c101a30592 , < 23f3770e1a53e6c7a553135011f547209e141e72 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fba965a9aac0fa3cbd8138436a37af9ab466d79",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "057764172fcc6ee2ccb6c41351a55a9f054dc8fd",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "2e67c2037382abb56497bb9d7b7e10be04eb5598",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "b6bfe44b6dbb14a31d86c475cdc9c7689534fb09",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "f36a305d30f557306d87c787ddffe094ac5dac89",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "7404ce888a45eb7da0508b7cbbe6f2e95302eeb8",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "23f3770e1a53e6c7a553135011f547209e141e72",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}\n\nCilium has a BPF egress gateway feature which forces outgoing K8s Pod\ntraffic to pass through dedicated egress gateways which then SNAT the\ntraffic in order to interact with stable IPs outside the cluster.\n\nThe traffic is directed to the gateway via vxlan tunnel in collect md\nmode. A recent BPF change utilized the bpf_redirect_neigh() helper to\nforward packets after the arrival and decap on vxlan, which turned out\nover time that the kmalloc-256 slab usage in kernel was ever-increasing.\n\nThe issue was that vxlan allocates the metadata_dst object and attaches\nit through a fake dst entry to the skb. The latter was never released\nthough given bpf_redirect_neigh() was merely setting the new dst entry\nvia skb_dst_set() without dropping an existing one first."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:40.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fba965a9aac0fa3cbd8138436a37af9ab466d79"
},
{
"url": "https://git.kernel.org/stable/c/057764172fcc6ee2ccb6c41351a55a9f054dc8fd"
},
{
"url": "https://git.kernel.org/stable/c/2e67c2037382abb56497bb9d7b7e10be04eb5598"
},
{
"url": "https://git.kernel.org/stable/c/b6bfe44b6dbb14a31d86c475cdc9c7689534fb09"
},
{
"url": "https://git.kernel.org/stable/c/f36a305d30f557306d87c787ddffe094ac5dac89"
},
{
"url": "https://git.kernel.org/stable/c/7404ce888a45eb7da0508b7cbbe6f2e95302eeb8"
},
{
"url": "https://git.kernel.org/stable/c/23f3770e1a53e6c7a553135011f547209e141e72"
}
],
"title": "bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40183",
"datePublished": "2025-11-12T21:56:27.429Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:40.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37916 (GCVE-0-2025-37916)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:21 – Updated: 2025-05-26 05:23
VLAI?
EPSS
Title
pds_core: remove write-after-free of client_id
Summary
In the Linux kernel, the following vulnerability has been resolved:
pds_core: remove write-after-free of client_id
A use-after-free error popped up in stress testing:
[Mon Apr 21 21:21:33 2025] BUG: KFENCE: use-after-free write in pdsc_auxbus_dev_del+0xef/0x160 [pds_core]
[Mon Apr 21 21:21:33 2025] Use-after-free write at 0x000000007013ecd1 (in kfence-#47):
[Mon Apr 21 21:21:33 2025] pdsc_auxbus_dev_del+0xef/0x160 [pds_core]
[Mon Apr 21 21:21:33 2025] pdsc_remove+0xc0/0x1b0 [pds_core]
[Mon Apr 21 21:21:33 2025] pci_device_remove+0x24/0x70
[Mon Apr 21 21:21:33 2025] device_release_driver_internal+0x11f/0x180
[Mon Apr 21 21:21:33 2025] driver_detach+0x45/0x80
[Mon Apr 21 21:21:33 2025] bus_remove_driver+0x83/0xe0
[Mon Apr 21 21:21:33 2025] pci_unregister_driver+0x1a/0x80
The actual device uninit usually happens on a separate thread
scheduled after this code runs, but there is no guarantee of order
of thread execution, so this could be a problem. There's no
actual need to clear the client_id at this point, so simply
remove the offending code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
10659034c622738bc1bfab8a76fc576c52d5acce , < 9b467c5bcdb45a41d2a49fbb9ffca73d1380e99b
(git)
Affected: 10659034c622738bc1bfab8a76fc576c52d5acce , < c649b9653ed09196e91d3f4b16b679041b3c42e6 (git) Affected: 10659034c622738bc1bfab8a76fc576c52d5acce , < 26dc701021302f11c8350108321d11763bd81dfe (git) Affected: 10659034c622738bc1bfab8a76fc576c52d5acce , < dfd76010f8e821b66116dec3c7d90dd2403d1396 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/amd/pds_core/auxbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b467c5bcdb45a41d2a49fbb9ffca73d1380e99b",
"status": "affected",
"version": "10659034c622738bc1bfab8a76fc576c52d5acce",
"versionType": "git"
},
{
"lessThan": "c649b9653ed09196e91d3f4b16b679041b3c42e6",
"status": "affected",
"version": "10659034c622738bc1bfab8a76fc576c52d5acce",
"versionType": "git"
},
{
"lessThan": "26dc701021302f11c8350108321d11763bd81dfe",
"status": "affected",
"version": "10659034c622738bc1bfab8a76fc576c52d5acce",
"versionType": "git"
},
{
"lessThan": "dfd76010f8e821b66116dec3c7d90dd2403d1396",
"status": "affected",
"version": "10659034c622738bc1bfab8a76fc576c52d5acce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/amd/pds_core/auxbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: remove write-after-free of client_id\n\nA use-after-free error popped up in stress testing:\n\n[Mon Apr 21 21:21:33 2025] BUG: KFENCE: use-after-free write in pdsc_auxbus_dev_del+0xef/0x160 [pds_core]\n[Mon Apr 21 21:21:33 2025] Use-after-free write at 0x000000007013ecd1 (in kfence-#47):\n[Mon Apr 21 21:21:33 2025] pdsc_auxbus_dev_del+0xef/0x160 [pds_core]\n[Mon Apr 21 21:21:33 2025] pdsc_remove+0xc0/0x1b0 [pds_core]\n[Mon Apr 21 21:21:33 2025] pci_device_remove+0x24/0x70\n[Mon Apr 21 21:21:33 2025] device_release_driver_internal+0x11f/0x180\n[Mon Apr 21 21:21:33 2025] driver_detach+0x45/0x80\n[Mon Apr 21 21:21:33 2025] bus_remove_driver+0x83/0xe0\n[Mon Apr 21 21:21:33 2025] pci_unregister_driver+0x1a/0x80\n\nThe actual device uninit usually happens on a separate thread\nscheduled after this code runs, but there is no guarantee of order\nof thread execution, so this could be a problem. There\u0027s no\nactual need to clear the client_id at this point, so simply\nremove the offending code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T05:23:38.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b467c5bcdb45a41d2a49fbb9ffca73d1380e99b"
},
{
"url": "https://git.kernel.org/stable/c/c649b9653ed09196e91d3f4b16b679041b3c42e6"
},
{
"url": "https://git.kernel.org/stable/c/26dc701021302f11c8350108321d11763bd81dfe"
},
{
"url": "https://git.kernel.org/stable/c/dfd76010f8e821b66116dec3c7d90dd2403d1396"
}
],
"title": "pds_core: remove write-after-free of client_id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37916",
"datePublished": "2025-05-20T15:21:47.088Z",
"dateReserved": "2025-04-16T04:51:23.967Z",
"dateUpdated": "2025-05-26T05:23:38.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40040 (GCVE-0-2025-40040)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
mm/ksm: fix flag-dropping behavior in ksm_madvise
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/ksm: fix flag-dropping behavior in ksm_madvise
syzkaller discovered the following crash: (kernel BUG)
[ 44.607039] ------------[ cut here ]------------
[ 44.607422] kernel BUG at mm/userfaultfd.c:2067!
[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)
[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460
<snip other registers, drop unreliable trace>
[ 44.617726] Call Trace:
[ 44.617926] <TASK>
[ 44.619284] userfaultfd_release+0xef/0x1b0
[ 44.620976] __fput+0x3f9/0xb60
[ 44.621240] fput_close_sync+0x110/0x210
[ 44.622222] __x64_sys_close+0x8f/0x120
[ 44.622530] do_syscall_64+0x5b/0x2f0
[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 44.623244] RIP: 0033:0x7f365bb3f227
Kernel panics because it detects UFFD inconsistency during
userfaultfd_release_all(). Specifically, a VMA which has a valid pointer
to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags.
The inconsistency is caused in ksm_madvise(): when user calls madvise()
with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,
it accidentally clears all flags stored in the upper 32 bits of
vma->vm_flags.
Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and
int are 32-bit wide. This setup causes the following mishap during the &=
~VM_MERGEABLE assignment.
VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000.
After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then
promoted to unsigned long before the & operation. This promotion fills
upper 32 bits with leading 0s, as we're doing unsigned conversion (and
even for a signed conversion, this wouldn't help as the leading bit is 0).
& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff
instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears
the upper 32-bits of its value.
Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the
BIT() macro.
Note: other VM_* flags are not affected: This only happens to the
VM_MERGEABLE flag, as the other VM_* flags are all constants of type int
and after ~ operation, they end up with leading 1 and are thus converted
to unsigned long with leading 1s.
Note 2:
After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is
no longer a kernel BUG, but a WARNING at the same place:
[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067
but the root-cause (flag-drop) remains the same.
[akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7677f7fd8be76659cd2d0db8ff4093bbb51c20e5 , < b69f19244c2b6475c8a6eb72f0fb0d53509e48cd
(git)
Affected: 7677f7fd8be76659cd2d0db8ff4093bbb51c20e5 , < 41cb9fd904fe0c39d52e82dd84dc3c96b7aa9693 (git) Affected: 7677f7fd8be76659cd2d0db8ff4093bbb51c20e5 , < 92b82e232b8d8b116ac6e57aeae7a6033db92c60 (git) Affected: 7677f7fd8be76659cd2d0db8ff4093bbb51c20e5 , < ac50c6e0a8f91a02b681af81abb2362fbb67cc18 (git) Affected: 7677f7fd8be76659cd2d0db8ff4093bbb51c20e5 , < 76385629f45740b7888f8fcd83bde955b10f61fe (git) Affected: 7677f7fd8be76659cd2d0db8ff4093bbb51c20e5 , < f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/mm.h",
"rust/bindings/bindings_helper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b69f19244c2b6475c8a6eb72f0fb0d53509e48cd",
"status": "affected",
"version": "7677f7fd8be76659cd2d0db8ff4093bbb51c20e5",
"versionType": "git"
},
{
"lessThan": "41cb9fd904fe0c39d52e82dd84dc3c96b7aa9693",
"status": "affected",
"version": "7677f7fd8be76659cd2d0db8ff4093bbb51c20e5",
"versionType": "git"
},
{
"lessThan": "92b82e232b8d8b116ac6e57aeae7a6033db92c60",
"status": "affected",
"version": "7677f7fd8be76659cd2d0db8ff4093bbb51c20e5",
"versionType": "git"
},
{
"lessThan": "ac50c6e0a8f91a02b681af81abb2362fbb67cc18",
"status": "affected",
"version": "7677f7fd8be76659cd2d0db8ff4093bbb51c20e5",
"versionType": "git"
},
{
"lessThan": "76385629f45740b7888f8fcd83bde955b10f61fe",
"status": "affected",
"version": "7677f7fd8be76659cd2d0db8ff4093bbb51c20e5",
"versionType": "git"
},
{
"lessThan": "f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93",
"status": "affected",
"version": "7677f7fd8be76659cd2d0db8ff4093bbb51c20e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/mm.h",
"rust/bindings/bindings_helper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ksm: fix flag-dropping behavior in ksm_madvise\n\nsyzkaller discovered the following crash: (kernel BUG)\n\n[ 44.607039] ------------[ cut here ]------------\n[ 44.607422] kernel BUG at mm/userfaultfd.c:2067!\n[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)\n[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460\n\n\u003csnip other registers, drop unreliable trace\u003e\n\n[ 44.617726] Call Trace:\n[ 44.617926] \u003cTASK\u003e\n[ 44.619284] userfaultfd_release+0xef/0x1b0\n[ 44.620976] __fput+0x3f9/0xb60\n[ 44.621240] fput_close_sync+0x110/0x210\n[ 44.622222] __x64_sys_close+0x8f/0x120\n[ 44.622530] do_syscall_64+0x5b/0x2f0\n[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 44.623244] RIP: 0033:0x7f365bb3f227\n\nKernel panics because it detects UFFD inconsistency during\nuserfaultfd_release_all(). Specifically, a VMA which has a valid pointer\nto vma-\u003evm_userfaultfd_ctx, but no UFFD flags in vma-\u003evm_flags.\n\nThe inconsistency is caused in ksm_madvise(): when user calls madvise()\nwith MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,\nit accidentally clears all flags stored in the upper 32 bits of\nvma-\u003evm_flags.\n\nAssuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and\nint are 32-bit wide. This setup causes the following mishap during the \u0026=\n~VM_MERGEABLE assignment.\n\nVM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000\u00270000. \nAfter ~ is applied, it becomes 0x7fff\u0027ffff unsigned int, which is then\npromoted to unsigned long before the \u0026 operation. This promotion fills\nupper 32 bits with leading 0s, as we\u0027re doing unsigned conversion (and\neven for a signed conversion, this wouldn\u0027t help as the leading bit is 0).\n\u0026 operation thus ends up AND-ing vm_flags with 0x0000\u00270000\u00277fff\u0027ffff\ninstead of intended 0xffff\u0027ffff\u00277fff\u0027ffff and hence accidentally clears\nthe upper 32-bits of its value.\n\nFix it by changing `VM_MERGEABLE` constant to unsigned long, using the\nBIT() macro.\n\nNote: other VM_* flags are not affected: This only happens to the\nVM_MERGEABLE flag, as the other VM_* flags are all constants of type int\nand after ~ operation, they end up with leading 1 and are thus converted\nto unsigned long with leading 1s.\n\nNote 2:\nAfter commit 31defc3b01d9 (\"userfaultfd: remove (VM_)BUG_ON()s\"), this is\nno longer a kernel BUG, but a WARNING at the same place:\n\n[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067\n\nbut the root-cause (flag-drop) remains the same.\n\n[akpm@linux-foundation.org: rust bindgen wasn\u0027t able to handle BIT(), from Miguel]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:38.506Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b69f19244c2b6475c8a6eb72f0fb0d53509e48cd"
},
{
"url": "https://git.kernel.org/stable/c/41cb9fd904fe0c39d52e82dd84dc3c96b7aa9693"
},
{
"url": "https://git.kernel.org/stable/c/92b82e232b8d8b116ac6e57aeae7a6033db92c60"
},
{
"url": "https://git.kernel.org/stable/c/ac50c6e0a8f91a02b681af81abb2362fbb67cc18"
},
{
"url": "https://git.kernel.org/stable/c/76385629f45740b7888f8fcd83bde955b10f61fe"
},
{
"url": "https://git.kernel.org/stable/c/f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93"
}
],
"title": "mm/ksm: fix flag-dropping behavior in ksm_madvise",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40040",
"datePublished": "2025-10-28T11:48:20.395Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-06T21:38:38.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53093 (GCVE-0-2024-53093)
Vulnerability from cvelistv5 – Published: 2024-11-21 18:17 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
nvme-multipath: defer partition scanning
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-multipath: defer partition scanning
We need to suppress the partition scan from occuring within the
controller's scan_work context. If a path error occurs here, the IO will
wait until a path becomes available or all paths are torn down, but that
action also occurs within scan_work, so it would deadlock. Defer the
partion scan to a different context that does not block scan_work.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
32acab3181c7053c775ca128c3a5c6ce50197d7f , < 60de2e03f984cfbcdc12fa552f95087c35a05a98
(git)
Affected: 32acab3181c7053c775ca128c3a5c6ce50197d7f , < 4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e (git) Affected: 32acab3181c7053c775ca128c3a5c6ce50197d7f , < a91b7eddf45afeeb9c5ece11dddff5de0921b00f (git) Affected: 32acab3181c7053c775ca128c3a5c6ce50197d7f , < 1f021341eef41e77a633186e9be5223de2ce5d48 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:11:24.276538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:13.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:29:08.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/multipath.c",
"drivers/nvme/host/nvme.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60de2e03f984cfbcdc12fa552f95087c35a05a98",
"status": "affected",
"version": "32acab3181c7053c775ca128c3a5c6ce50197d7f",
"versionType": "git"
},
{
"lessThan": "4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e",
"status": "affected",
"version": "32acab3181c7053c775ca128c3a5c6ce50197d7f",
"versionType": "git"
},
{
"lessThan": "a91b7eddf45afeeb9c5ece11dddff5de0921b00f",
"status": "affected",
"version": "32acab3181c7053c775ca128c3a5c6ce50197d7f",
"versionType": "git"
},
{
"lessThan": "1f021341eef41e77a633186e9be5223de2ce5d48",
"status": "affected",
"version": "32acab3181c7053c775ca128c3a5c6ce50197d7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/multipath.c",
"drivers/nvme/host/nvme.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.118",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.62",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.9",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-multipath: defer partition scanning\n\nWe need to suppress the partition scan from occuring within the\ncontroller\u0027s scan_work context. If a path error occurs here, the IO will\nwait until a path becomes available or all paths are torn down, but that\naction also occurs within scan_work, so it would deadlock. Defer the\npartion scan to a different context that does not block scan_work."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:40.234Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60de2e03f984cfbcdc12fa552f95087c35a05a98"
},
{
"url": "https://git.kernel.org/stable/c/4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e"
},
{
"url": "https://git.kernel.org/stable/c/a91b7eddf45afeeb9c5ece11dddff5de0921b00f"
},
{
"url": "https://git.kernel.org/stable/c/1f021341eef41e77a633186e9be5223de2ce5d48"
}
],
"title": "nvme-multipath: defer partition scanning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53093",
"datePublished": "2024-11-21T18:17:09.807Z",
"dateReserved": "2024-11-19T17:17:24.982Z",
"dateUpdated": "2025-12-20T08:51:40.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40121 (GCVE-0-2025-40121)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver just ignores and leaves as is, which may lead to
unepxected results like OOB access.
This patch adds the sanity check and corrects the input mapping to the
certain default value if an invalid value is passed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < bff827b0d507e52b23efab9f67c232a4f037ab2c
(git)
Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < 64a36a7032082b4c330ce081acb6efb99246020e (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < 95e29db33b5f73218ae08ebb48c61c9a8d28e2ff (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < 2204e582b4eea872e1e7a5c90edcb84b928c68b0 (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < f197894de2f4ef46c7d53827d9df294b75c35e13 (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < fdf99978a6480e14405212472b6c747e0fa43bed (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < c60f269c123210a6846d6d1367de0eaa402c10b0 (git) Affected: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 , < 4336efb59ef364e691ef829a73d9dbd4d5ed7c7b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5651.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bff827b0d507e52b23efab9f67c232a4f037ab2c",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "64a36a7032082b4c330ce081acb6efb99246020e",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "95e29db33b5f73218ae08ebb48c61c9a8d28e2ff",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "2204e582b4eea872e1e7a5c90edcb84b928c68b0",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "f197894de2f4ef46c7d53827d9df294b75c35e13",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "fdf99978a6480e14405212472b6c747e0fa43bed",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "c60f269c123210a6846d6d1367de0eaa402c10b0",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "4336efb59ef364e691ef829a73d9dbd4d5ed7c7b",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5651.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver just ignores and leaves as is, which may lead to\nunepxected results like OOB access.\n\nThis patch adds the sanity check and corrects the input mapping to the\ncertain default value if an invalid value is passed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:25.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bff827b0d507e52b23efab9f67c232a4f037ab2c"
},
{
"url": "https://git.kernel.org/stable/c/64a36a7032082b4c330ce081acb6efb99246020e"
},
{
"url": "https://git.kernel.org/stable/c/95e29db33b5f73218ae08ebb48c61c9a8d28e2ff"
},
{
"url": "https://git.kernel.org/stable/c/2204e582b4eea872e1e7a5c90edcb84b928c68b0"
},
{
"url": "https://git.kernel.org/stable/c/f197894de2f4ef46c7d53827d9df294b75c35e13"
},
{
"url": "https://git.kernel.org/stable/c/fdf99978a6480e14405212472b6c747e0fa43bed"
},
{
"url": "https://git.kernel.org/stable/c/c60f269c123210a6846d6d1367de0eaa402c10b0"
},
{
"url": "https://git.kernel.org/stable/c/4336efb59ef364e691ef829a73d9dbd4d5ed7c7b"
}
],
"title": "ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40121",
"datePublished": "2025-11-12T10:23:19.000Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40185 (GCVE-0-2025-40185)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ice: ice_adapter: release xa entry on adapter allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: ice_adapter: release xa entry on adapter allocation failure
When ice_adapter_new() fails, the reserved XArray entry created by
xa_insert() is not released. This causes subsequent insertions at
the same index to return -EBUSY, potentially leading to
NULL pointer dereferences.
Reorder the operations as suggested by Przemek Kitszel:
1. Check if adapter already exists (xa_load)
2. Reserve the XArray slot (xa_reserve)
3. Allocate the adapter (ice_adapter_new)
4. Store the adapter (xa_store)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0f0023c649c7bc50543fbe6e1801eb6357b8bd63 , < 7b9269de9815fc34d93dab90bd5169bacbe78e70
(git)
Affected: 0f0023c649c7bc50543fbe6e1801eb6357b8bd63 , < 794abb265de3e792167fe3ea0440c064c722bb84 (git) Affected: 0f0023c649c7bc50543fbe6e1801eb6357b8bd63 , < 2db687f3469dbc5c59bc53d55acafd75d530b497 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_adapter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b9269de9815fc34d93dab90bd5169bacbe78e70",
"status": "affected",
"version": "0f0023c649c7bc50543fbe6e1801eb6357b8bd63",
"versionType": "git"
},
{
"lessThan": "794abb265de3e792167fe3ea0440c064c722bb84",
"status": "affected",
"version": "0f0023c649c7bc50543fbe6e1801eb6357b8bd63",
"versionType": "git"
},
{
"lessThan": "2db687f3469dbc5c59bc53d55acafd75d530b497",
"status": "affected",
"version": "0f0023c649c7bc50543fbe6e1801eb6357b8bd63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_adapter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: ice_adapter: release xa entry on adapter allocation failure\n\nWhen ice_adapter_new() fails, the reserved XArray entry created by\nxa_insert() is not released. This causes subsequent insertions at\nthe same index to return -EBUSY, potentially leading to\nNULL pointer dereferences.\n\nReorder the operations as suggested by Przemek Kitszel:\n1. Check if adapter already exists (xa_load)\n2. Reserve the XArray slot (xa_reserve)\n3. Allocate the adapter (ice_adapter_new)\n4. Store the adapter (xa_store)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:43.239Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b9269de9815fc34d93dab90bd5169bacbe78e70"
},
{
"url": "https://git.kernel.org/stable/c/794abb265de3e792167fe3ea0440c064c722bb84"
},
{
"url": "https://git.kernel.org/stable/c/2db687f3469dbc5c59bc53d55acafd75d530b497"
}
],
"title": "ice: ice_adapter: release xa entry on adapter allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40185",
"datePublished": "2025-11-12T21:56:28.561Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:43.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50545 (GCVE-0-2022-50545)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2025-10-07 15:21
VLAI?
EPSS
Title
r6040: Fix kmemleak in probe and remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
r6040: Fix kmemleak in probe and remove
There is a memory leaks reported by kmemleak:
unreferenced object 0xffff888116111000 (size 2048):
comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s)
hex dump (first 32 bytes):
00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................
08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff827e20ee>] phy_device_create+0x4e/0x90
[<ffffffff827e6072>] get_phy_device+0xd2/0x220
[<ffffffff827e7844>] mdiobus_scan+0xa4/0x2e0
[<ffffffff827e8be2>] __mdiobus_register+0x482/0x8b0
[<ffffffffa01f5d24>] r6040_init_one+0x714/0xd2c [r6040]
...
The problem occurs in probe process as follows:
r6040_init_one:
mdiobus_register
mdiobus_scan <- alloc and register phy_device,
the reference count of phy_device is 3
r6040_mii_probe
phy_connect <- connect to the first phy_device,
so the reference count of the first
phy_device is 4, others are 3
register_netdev <- fault inject succeeded, goto error handling path
// error handling path
err_out_mdio_unregister:
mdiobus_unregister(lp->mii_bus);
err_out_mdio:
mdiobus_free(lp->mii_bus); <- the reference count of the first
phy_device is 1, it is not released
and other phy_devices are released
// similarly, the remove process also has the same problem
The root cause is traced to the phy_device is not disconnected when
removes one r6040 device in r6040_remove_one() or on error handling path
after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet
device is connected to the first PHY device of mii_bus, in order to
notify the connected driver when the link status changes, which is the
default behavior of the PHY infrastructure to handle everything.
Therefore the phy_device should be disconnected when removes one r6040
device or on error handling path.
Fix it by adding phy_disconnect() when removes one r6040 device or on
error handling path after r6040_mii probed successfully.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3831861b4ad8fd0ad7110048eb3e155628799d2b , < a04707f4596952049da05756c27398c34d9a1d36
(git)
Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < b4448816e6a565e08236a6009c6bf48c6836cdfd (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 2ce242e1b9ad31c1f68496b3548e407a8cb2c07d (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < b0a61359026b57a287a48fbb4ba1d097023eca3e (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 3d5f83a62e8235d235534b3dc6f197d8a822c269 (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 9b5b50329e2e966831a7237dd6949e7b5362a49a (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < ad2c8f25457ca9a81e7e958148cbc26600ce3071 (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 5944c25c67de54e0aa53623e1e1af3bf8b16ed44 (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 7e43039a49c2da45edc1d9d7c9ede4003ab45a5f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rdc/r6040.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a04707f4596952049da05756c27398c34d9a1d36",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "b4448816e6a565e08236a6009c6bf48c6836cdfd",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "2ce242e1b9ad31c1f68496b3548e407a8cb2c07d",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "b0a61359026b57a287a48fbb4ba1d097023eca3e",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "3d5f83a62e8235d235534b3dc6f197d8a822c269",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "9b5b50329e2e966831a7237dd6949e7b5362a49a",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "ad2c8f25457ca9a81e7e958148cbc26600ce3071",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "5944c25c67de54e0aa53623e1e1af3bf8b16ed44",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "7e43039a49c2da45edc1d9d7c9ede4003ab45a5f",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rdc/r6040.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nr6040: Fix kmemleak in probe and remove\n\nThere is a memory leaks reported by kmemleak:\n\n unreferenced object 0xffff888116111000 (size 2048):\n comm \"modprobe\", pid 817, jiffies 4294759745 (age 76.502s)\n hex dump (first 32 bytes):\n 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................\n 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff815bcd82\u003e] kmalloc_trace+0x22/0x60\n [\u003cffffffff827e20ee\u003e] phy_device_create+0x4e/0x90\n [\u003cffffffff827e6072\u003e] get_phy_device+0xd2/0x220\n [\u003cffffffff827e7844\u003e] mdiobus_scan+0xa4/0x2e0\n [\u003cffffffff827e8be2\u003e] __mdiobus_register+0x482/0x8b0\n [\u003cffffffffa01f5d24\u003e] r6040_init_one+0x714/0xd2c [r6040]\n ...\n\nThe problem occurs in probe process as follows:\n r6040_init_one:\n mdiobus_register\n mdiobus_scan \u003c- alloc and register phy_device,\n the reference count of phy_device is 3\n r6040_mii_probe\n phy_connect \u003c- connect to the first phy_device,\n so the reference count of the first\n phy_device is 4, others are 3\n register_netdev \u003c- fault inject succeeded, goto error handling path\n\n // error handling path\n err_out_mdio_unregister:\n mdiobus_unregister(lp-\u003emii_bus);\n err_out_mdio:\n mdiobus_free(lp-\u003emii_bus); \u003c- the reference count of the first\n phy_device is 1, it is not released\n and other phy_devices are released\n // similarly, the remove process also has the same problem\n\nThe root cause is traced to the phy_device is not disconnected when\nremoves one r6040 device in r6040_remove_one() or on error handling path\nafter r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet\ndevice is connected to the first PHY device of mii_bus, in order to\nnotify the connected driver when the link status changes, which is the\ndefault behavior of the PHY infrastructure to handle everything.\nTherefore the phy_device should be disconnected when removes one r6040\ndevice or on error handling path.\n\nFix it by adding phy_disconnect() when removes one r6040 device or on\nerror handling path after r6040_mii probed successfully."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:09.288Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a04707f4596952049da05756c27398c34d9a1d36"
},
{
"url": "https://git.kernel.org/stable/c/b4448816e6a565e08236a6009c6bf48c6836cdfd"
},
{
"url": "https://git.kernel.org/stable/c/2ce242e1b9ad31c1f68496b3548e407a8cb2c07d"
},
{
"url": "https://git.kernel.org/stable/c/b0a61359026b57a287a48fbb4ba1d097023eca3e"
},
{
"url": "https://git.kernel.org/stable/c/3d5f83a62e8235d235534b3dc6f197d8a822c269"
},
{
"url": "https://git.kernel.org/stable/c/9b5b50329e2e966831a7237dd6949e7b5362a49a"
},
{
"url": "https://git.kernel.org/stable/c/ad2c8f25457ca9a81e7e958148cbc26600ce3071"
},
{
"url": "https://git.kernel.org/stable/c/5944c25c67de54e0aa53623e1e1af3bf8b16ed44"
},
{
"url": "https://git.kernel.org/stable/c/7e43039a49c2da45edc1d9d7c9ede4003ab45a5f"
}
],
"title": "r6040: Fix kmemleak in probe and remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50545",
"datePublished": "2025-10-07T15:21:09.288Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:09.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40205 (GCVE-0-2025-40205)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
The function btrfs_encode_fh() does not properly account for the three
cases it handles.
Before writing to the file handle (fh), the function only returns to the
user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
However, when a parent exists and the root ID of the parent and the
inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
(10 dwords, 40 bytes).
If *max_len is not large enough, this write goes out of bounds because
BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
BTRFS_FID_SIZE_CONNECTABLE originally returned.
This results in an 8-byte out-of-bounds write at
fid->parent_root_objectid = parent_root_id.
A previous attempt to fix this issue was made but was lost.
https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
Although this issue does not seem to be easily triggerable, it is a
potential memory corruption bug that should be fixed. This patch
resolves the issue by ensuring the function returns the appropriate size
for all three cases and validates that *max_len is large enough before
writing any data.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db
(git)
Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 742b44342204e5dfe3926433823623c1a0c581df (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < d3a9a8e1275eb9b87f006b5562a287aea3f6885f (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < d91f6626133698362bba08fbc04bd72c466806d3 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 0276c8582488022f057b4cec21975a5edf079f47 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 361d67276eb8ec6be8f27f4ad6c6090459438fee (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 43143776b0a7604d873d1a6f3e552a00aa930224 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < dff4f9ff5d7f289e4545cc936362e01ed3252742 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "742b44342204e5dfe3926433823623c1a0c581df",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "d3a9a8e1275eb9b87f006b5562a287aea3f6885f",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "d91f6626133698362bba08fbc04bd72c466806d3",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "0276c8582488022f057b4cec21975a5edf079f47",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "361d67276eb8ec6be8f27f4ad6c6090459438fee",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "43143776b0a7604d873d1a6f3e552a00aa930224",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "dff4f9ff5d7f289e4545cc936362e01ed3252742",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid potential out-of-bounds in btrfs_encode_fh()\n\nThe function btrfs_encode_fh() does not properly account for the three\ncases it handles.\n\nBefore writing to the file handle (fh), the function only returns to the\nuser BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or\nBTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).\n\nHowever, when a parent exists and the root ID of the parent and the\ninode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT\n(10 dwords, 40 bytes).\n\nIf *max_len is not large enough, this write goes out of bounds because\nBTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than\nBTRFS_FID_SIZE_CONNECTABLE originally returned.\n\nThis results in an 8-byte out-of-bounds write at\nfid-\u003eparent_root_objectid = parent_root_id.\n\nA previous attempt to fix this issue was made but was lost.\n\nhttps://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/\n\nAlthough this issue does not seem to be easily triggerable, it is a\npotential memory corruption bug that should be fixed. This patch\nresolves the issue by ensuring the function returns the appropriate size\nfor all three cases and validates that *max_len is large enough before\nwriting any data."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:08.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db"
},
{
"url": "https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df"
},
{
"url": "https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f"
},
{
"url": "https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3"
},
{
"url": "https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47"
},
{
"url": "https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee"
},
{
"url": "https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224"
},
{
"url": "https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742"
}
],
"title": "btrfs: avoid potential out-of-bounds in btrfs_encode_fh()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40205",
"datePublished": "2025-11-12T21:56:35.403Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:08.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38436 (GCVE-0-2025-38436)
Vulnerability from cvelistv5 – Published: 2025-07-25 14:32 – Updated: 2025-07-28 11:16
VLAI?
EPSS
Title
drm/scheduler: signal scheduled fence when kill job
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/scheduler: signal scheduled fence when kill job
When an entity from application B is killed, drm_sched_entity_kill()
removes all jobs belonging to that entity through
drm_sched_entity_kill_jobs_work(). If application A's job depends on a
scheduled fence from application B's job, and that fence is not properly
signaled during the killing process, application A's dependency cannot be
cleared.
This leads to application A hanging indefinitely while waiting for a
dependency that will never be resolved. Fix this issue by ensuring that
scheduled fences are properly signaled when an entity is killed, allowing
dependent applications to continue execution.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a72ce6f84109c1dec1ab236d65979d3250668af3 , < c5734f9bab6f0d40577ad0633af4090a5fda2407
(git)
Affected: a72ce6f84109c1dec1ab236d65979d3250668af3 , < aefd0a935625165a6ca36d0258d2d053901555df (git) Affected: a72ce6f84109c1dec1ab236d65979d3250668af3 , < aa382a8b6ed483e9812d0e63b6d1bdcba0186f29 (git) Affected: a72ce6f84109c1dec1ab236d65979d3250668af3 , < 471db2c2d4f80ee94225a1ef246e4f5011733e50 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5734f9bab6f0d40577ad0633af4090a5fda2407",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
},
{
"lessThan": "aefd0a935625165a6ca36d0258d2d053901555df",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
},
{
"lessThan": "aa382a8b6ed483e9812d0e63b6d1bdcba0186f29",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
},
{
"lessThan": "471db2c2d4f80ee94225a1ef246e4f5011733e50",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/scheduler: signal scheduled fence when kill job\n\nWhen an entity from application B is killed, drm_sched_entity_kill()\nremoves all jobs belonging to that entity through\ndrm_sched_entity_kill_jobs_work(). If application A\u0027s job depends on a\nscheduled fence from application B\u0027s job, and that fence is not properly\nsignaled during the killing process, application A\u0027s dependency cannot be\ncleared.\n\nThis leads to application A hanging indefinitely while waiting for a\ndependency that will never be resolved. Fix this issue by ensuring that\nscheduled fences are properly signaled when an entity is killed, allowing\ndependent applications to continue execution."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T11:16:59.090Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5734f9bab6f0d40577ad0633af4090a5fda2407"
},
{
"url": "https://git.kernel.org/stable/c/aefd0a935625165a6ca36d0258d2d053901555df"
},
{
"url": "https://git.kernel.org/stable/c/aa382a8b6ed483e9812d0e63b6d1bdcba0186f29"
},
{
"url": "https://git.kernel.org/stable/c/471db2c2d4f80ee94225a1ef246e4f5011733e50"
}
],
"title": "drm/scheduler: signal scheduled fence when kill job",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38436",
"datePublished": "2025-07-25T14:32:09.945Z",
"dateReserved": "2025-04-16T04:51:24.016Z",
"dateUpdated": "2025-07-28T11:16:59.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40149 (GCVE-0-2025-40149)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
get_netdev_for_sock() is called during setsockopt(),
so not under RCU.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
Note that the only ->ndo_sk_get_lower_dev() user is
bond_sk_get_lower_dev(), which uses RCU.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "feb474ddbf26b51f462ae2e60a12013bdcfc5407",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "c65f27b9c3be2269918e1cbad6d8884741f835c5",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().\n\nget_netdev_for_sock() is called during setsockopt(),\nso not under RCU.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu().\n\nNote that the only -\u003endo_sk_get_lower_dev() user is\nbond_sk_get_lower_dev(), which uses RCU."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:58.317Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/feb474ddbf26b51f462ae2e60a12013bdcfc5407"
},
{
"url": "https://git.kernel.org/stable/c/c65f27b9c3be2269918e1cbad6d8884741f835c5"
}
],
"title": "tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40149",
"datePublished": "2025-11-12T10:23:27.122Z",
"dateReserved": "2025-04-16T07:20:57.175Z",
"dateUpdated": "2025-12-01T06:18:58.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53369 (GCVE-0-2023-53369)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2025-09-18 13:33
VLAI?
EPSS
Title
net: dcb: choose correct policy to parse DCB_ATTR_BCN
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dcb: choose correct policy to parse DCB_ATTR_BCN
The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],
which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB
BCN"). Please see the comment in below code
static int dcbnl_bcn_setcfg(...)
{
...
ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )
// !!! dcbnl_pfc_up_nest for attributes
// DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs
...
for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) {
// !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs
...
value_byte = nla_get_u8(data[i]);
...
}
...
for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) {
// !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs
...
value_int = nla_get_u32(data[i]);
...
}
...
}
That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest
attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the
following access code fetch each nlattr as dcbnl_bcn_attrs attributes.
By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find
the beginning part of these two policies are "same".
static const struct nla_policy dcbnl_pfc_up_nest[...] = {
[DCB_PFC_UP_ATTR_0] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_1] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_2] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_3] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_4] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_5] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_6] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_7] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},
};
static const struct nla_policy dcbnl_bcn_nest[...] = {
[DCB_BCN_ATTR_RP_0] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_1] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_2] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_3] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_4] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_5] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_6] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_7] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG},
// from here is somewhat different
[DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32},
...
[DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG},
};
Therefore, the current code is buggy and this
nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use
the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.
Hence use the correct policy dcbnl_bcn_nest to parse the nested
tb[DCB_ATTR_BCN] TLV.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < 5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9
(git)
Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < 8e309f43d0ca4051d20736c06a6f84bbddd881da (git) Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < a0da2684db18dead3bcee12fb185e596e3d63c2b (git) Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < ecff20e193207b44fdbfe64d7de89890f0a7fe6c (git) Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < 199fde04bd875d28b3a5ca525eaaa004eec6e947 (git) Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < 31d49ba033095f6e8158c60f69714a500922e0c3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dcb/dcbnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "8e309f43d0ca4051d20736c06a6f84bbddd881da",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "a0da2684db18dead3bcee12fb185e596e3d63c2b",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "ecff20e193207b44fdbfe64d7de89890f0a7fe6c",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "199fde04bd875d28b3a5ca525eaaa004eec6e947",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "31d49ba033095f6e8158c60f69714a500922e0c3",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dcb/dcbnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dcb: choose correct policy to parse DCB_ATTR_BCN\n\nThe dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],\nwhich is introduced in commit 859ee3c43812 (\"DCB: Add support for DCB\nBCN\"). Please see the comment in below code\n\nstatic int dcbnl_bcn_setcfg(...)\n{\n ...\n ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )\n // !!! dcbnl_pfc_up_nest for attributes\n // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs\n ...\n for (i = DCB_BCN_ATTR_RP_0; i \u003c= DCB_BCN_ATTR_RP_7; i++) {\n // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs\n ...\n value_byte = nla_get_u8(data[i]);\n ...\n }\n ...\n for (i = DCB_BCN_ATTR_BCNA_0; i \u003c= DCB_BCN_ATTR_RI; i++) {\n // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs\n ...\n value_int = nla_get_u32(data[i]);\n ...\n }\n ...\n}\n\nThat is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest\nattributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the\nfollowing access code fetch each nlattr as dcbnl_bcn_attrs attributes.\nBy looking up the associated nla_policy for dcbnl_bcn_attrs. We can find\nthe beginning part of these two policies are \"same\".\n\nstatic const struct nla_policy dcbnl_pfc_up_nest[...] = {\n [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nstatic const struct nla_policy dcbnl_bcn_nest[...] = {\n [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG},\n // from here is somewhat different\n [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32},\n ...\n [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nTherefore, the current code is buggy and this\nnla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use\nthe adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.\n\nHence use the correct policy dcbnl_bcn_nest to parse the nested\ntb[DCB_ATTR_BCN] TLV."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:17.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9"
},
{
"url": "https://git.kernel.org/stable/c/8e309f43d0ca4051d20736c06a6f84bbddd881da"
},
{
"url": "https://git.kernel.org/stable/c/a0da2684db18dead3bcee12fb185e596e3d63c2b"
},
{
"url": "https://git.kernel.org/stable/c/ecff20e193207b44fdbfe64d7de89890f0a7fe6c"
},
{
"url": "https://git.kernel.org/stable/c/199fde04bd875d28b3a5ca525eaaa004eec6e947"
},
{
"url": "https://git.kernel.org/stable/c/31d49ba033095f6e8158c60f69714a500922e0c3"
}
],
"title": "net: dcb: choose correct policy to parse DCB_ATTR_BCN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53369",
"datePublished": "2025-09-18T13:33:17.384Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2025-09-18T13:33:17.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38361 (GCVE-0-2025-38361)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:47 – Updated: 2025-07-28 11:16
VLAI?
EPSS
Title
drm/amd/display: Check dce_hwseq before dereferencing it
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check dce_hwseq before dereferencing it
[WHAT]
hws was checked for null earlier in dce110_blank_stream, indicating hws
can be null, and should be checked whenever it is used.
(cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < e881b82f5d3d8d54d168cd276169f0fee01bf0e7
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < df11bf0ef795b6d415c4d8ee54fa3f2105e75bcb (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < b669507b637eb6b1aaecf347f193efccc65d756e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e881b82f5d3d8d54d168cd276169f0fee01bf0e7",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "df11bf0ef795b6d415c4d8ee54fa3f2105e75bcb",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "b669507b637eb6b1aaecf347f193efccc65d756e",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check dce_hwseq before dereferencing it\n\n[WHAT]\n\nhws was checked for null earlier in dce110_blank_stream, indicating hws\ncan be null, and should be checked whenever it is used.\n\n(cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad)"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T11:16:47.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e881b82f5d3d8d54d168cd276169f0fee01bf0e7"
},
{
"url": "https://git.kernel.org/stable/c/df11bf0ef795b6d415c4d8ee54fa3f2105e75bcb"
},
{
"url": "https://git.kernel.org/stable/c/b669507b637eb6b1aaecf347f193efccc65d756e"
}
],
"title": "drm/amd/display: Check dce_hwseq before dereferencing it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38361",
"datePublished": "2025-07-25T12:47:32.234Z",
"dateReserved": "2025-04-16T04:51:24.008Z",
"dateUpdated": "2025-07-28T11:16:47.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…