Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0056
Vulnerability from certfr_avis - Published: 2026-01-16 - Updated: 2026-01-16
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un contournement de la politique de sécurité et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 8.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian 8 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems 8 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - TUS 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems 8 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 9 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - TUS 8.8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian 10 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 10 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - TUS 8.8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 9.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 10 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 9 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems 10 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian 9 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 10 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.4 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 10 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 8 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 8 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 10 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 8 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 9 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - TUS 8.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems 9 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems 9 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 8.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 8.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian 9 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems 10 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 9 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 9 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian 10 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian 8 ppc64le |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 8 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 8 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 8 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 9 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 10 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 10 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 10 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 9 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 10 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 9 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 10 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.4 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 9 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 10 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 8 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 8 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 10 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 8 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 9 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 9 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 9 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.2 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 10 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 9 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 10 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 9 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 9 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 10 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 8 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-39983",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39983"
},
{
"name": "CVE-2025-39883",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39883"
},
{
"name": "CVE-2025-68287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68287"
},
{
"name": "CVE-2025-40240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40240"
},
{
"name": "CVE-2025-39925",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39925"
},
{
"name": "CVE-2023-52638",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52638"
},
{
"name": "CVE-2024-35868",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35868"
},
{
"name": "CVE-2025-39843",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39843"
},
{
"name": "CVE-2022-50447",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50447"
},
{
"name": "CVE-2025-39898",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39898"
},
{
"name": "CVE-2025-38724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38724"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2025-39981",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39981"
},
{
"name": "CVE-2023-53705",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53705"
},
{
"name": "CVE-2025-23142",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23142"
},
{
"name": "CVE-2025-40176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40176"
},
{
"name": "CVE-2023-53322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53322"
},
{
"name": "CVE-2025-39840",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39840"
},
{
"name": "CVE-2023-53539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53539"
},
{
"name": "CVE-2023-53675",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53675"
},
{
"name": "CVE-2025-39982",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39982"
},
{
"name": "CVE-2025-39993",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39993"
},
{
"name": "CVE-2025-39971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39971"
},
{
"name": "CVE-2025-39825",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39825"
},
{
"name": "CVE-2023-53401",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53401"
},
{
"name": "CVE-2025-39806",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39806"
},
{
"name": "CVE-2023-53680",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53680"
},
{
"name": "CVE-2025-39905",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39905"
},
{
"name": "CVE-2025-39817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39817"
},
{
"name": "CVE-2023-53581",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53581"
},
{
"name": "CVE-2025-38051",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38051"
},
{
"name": "CVE-2023-53513",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53513"
},
{
"name": "CVE-2025-40141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40141"
},
{
"name": "CVE-2025-39966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39966"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
},
{
"name": "CVE-2022-50543",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50543"
}
],
"initial_release_date": "2026-01-16T00:00:00",
"last_revision_date": "2026-01-16T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0056",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un contournement de la politique de s\u00e9curit\u00e9 et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2026-01-12",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0453",
"url": "https://access.redhat.com/errata/RHSA-2026:0453"
},
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0576",
"url": "https://access.redhat.com/errata/RHSA-2026:0576"
},
{
"published_at": "2026-01-12",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0444",
"url": "https://access.redhat.com/errata/RHSA-2026:0444"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0489",
"url": "https://access.redhat.com/errata/RHSA-2026:0489"
},
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0537",
"url": "https://access.redhat.com/errata/RHSA-2026:0537"
},
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0536",
"url": "https://access.redhat.com/errata/RHSA-2026:0536"
},
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0532",
"url": "https://access.redhat.com/errata/RHSA-2026:0532"
},
{
"published_at": "2026-01-12",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0457",
"url": "https://access.redhat.com/errata/RHSA-2026:0457"
},
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0534",
"url": "https://access.redhat.com/errata/RHSA-2026:0534"
},
{
"published_at": "2026-01-12",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0445",
"url": "https://access.redhat.com/errata/RHSA-2026:0445"
},
{
"published_at": "2026-01-12",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0443",
"url": "https://access.redhat.com/errata/RHSA-2026:0443"
},
{
"published_at": "2026-01-15",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0643",
"url": "https://access.redhat.com/errata/RHSA-2026:0643"
},
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:0533",
"url": "https://access.redhat.com/errata/RHSA-2026:0533"
}
]
}
CVE-2025-40277 (GCVE-0-2025-40277)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
This data originates from userspace and is used in buffer offset
calculations which could potentially overflow causing an out-of-bounds
access.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < e58559845021c3bad5e094219378b869157fad53
(git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 54d458b244893e47bda52ec3943fdfbc8d7d068b (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < a3abb54c27b2c393c44362399777ad2f6e1ff17e (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e58559845021c3bad5e094219378b869157fad53",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "54d458b244893e47bda52ec3943fdfbc8d7d068b",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "a3abb54c27b2c393c44362399777ad2f6e1ff17e",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "b5df9e06eed3df6a4f5c6f8453013b0cabb927b4",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE\n\nThis data originates from userspace and is used in buffer offset\ncalculations which could potentially overflow causing an out-of-bounds\naccess."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:00.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53"
},
{
"url": "https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b"
},
{
"url": "https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173"
},
{
"url": "https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e"
},
{
"url": "https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4"
},
{
"url": "https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc"
},
{
"url": "https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0"
},
{
"url": "https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af"
}
],
"title": "drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40277",
"datePublished": "2025-12-06T21:51:00.437Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:00.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53680 (GCVE-0-2023-53680)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2025-10-07 15:21
VLAI?
EPSS
Title
NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL
OPDESC() simply indexes into nfsd4_ops[] by the op's operation
number, without range checking that value. It assumes callers are
careful to avoid calling it with an out-of-bounds opnum value.
nfsd4_decode_compound() is not so careful, and can invoke OPDESC()
with opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end
of nfsd4_ops[].
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8 , < 50827896c365e0f6c8b55ed56d444dafd87c92c5
(git)
Affected: f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8 , < a64160124d5a078be0c380b1e8a0bad2d040d3a1 (git) Affected: f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8 , < ffcbcf087581ae68ddc0a21460f7ecd4315bdd0e (git) Affected: f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8 , < f352c41fa718482979e7e6b71b4da2b718e381cc (git) Affected: f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8 , < 804d8e0a6e54427268790472781e03bc243f4ee3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50827896c365e0f6c8b55ed56d444dafd87c92c5",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "a64160124d5a078be0c380b1e8a0bad2d040d3a1",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "ffcbcf087581ae68ddc0a21460f7ecd4315bdd0e",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "f352c41fa718482979e7e6b71b4da2b718e381cc",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "804d8e0a6e54427268790472781e03bc243f4ee3",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.220",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Avoid calling OPDESC() with ops-\u003eopnum == OP_ILLEGAL\n\nOPDESC() simply indexes into nfsd4_ops[] by the op\u0027s operation\nnumber, without range checking that value. It assumes callers are\ncareful to avoid calling it with an out-of-bounds opnum value.\n\nnfsd4_decode_compound() is not so careful, and can invoke OPDESC()\nwith opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end\nof nfsd4_ops[]."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:34.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50827896c365e0f6c8b55ed56d444dafd87c92c5"
},
{
"url": "https://git.kernel.org/stable/c/a64160124d5a078be0c380b1e8a0bad2d040d3a1"
},
{
"url": "https://git.kernel.org/stable/c/ffcbcf087581ae68ddc0a21460f7ecd4315bdd0e"
},
{
"url": "https://git.kernel.org/stable/c/f352c41fa718482979e7e6b71b4da2b718e381cc"
},
{
"url": "https://git.kernel.org/stable/c/804d8e0a6e54427268790472781e03bc243f4ee3"
}
],
"title": "NFSD: Avoid calling OPDESC() with ops-\u003eopnum == OP_ILLEGAL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53680",
"datePublished": "2025-10-07T15:21:34.626Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:34.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52638 (GCVE-0-2023-52638)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:54 – Updated: 2026-01-05 10:16
VLAI?
EPSS
Title
can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock
The following 3 locks would race against each other, causing the
deadlock situation in the Syzbot bug report:
- j1939_socks_lock
- active_session_list_lock
- sk_session_queue_lock
A reasonable fix is to change j1939_socks_lock to an rwlock, since in
the rare situations where a write lock is required for the linked list
that j1939_socks_lock is protecting, the code does not attempt to
acquire any more locks. This would break the circular lock dependency,
where, for example, the current thread already locks j1939_socks_lock
and attempts to acquire sk_session_queue_lock, and at the same time,
another thread attempts to acquire j1939_socks_lock while holding
sk_session_queue_lock.
NOTE: This patch along does not fix the unregister_netdevice bug
reported by Syzbot; instead, it solves a deadlock situation to prepare
for one or more further patches to actually fix the Syzbot bug, which
appears to be a reference counting problem within the j1939 codebase.
[mkl: remove unrelated newline change]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5b9272e93f2efe3f6cda60cc2c26817b2ce49386 , < 03358aba991668d3bb2c65b3c82aa32c36851170
(git)
Affected: 5b9272e93f2efe3f6cda60cc2c26817b2ce49386 , < aedda066d717a0b4335d7e0a00b2e3a61e40afcf (git) Affected: 5b9272e93f2efe3f6cda60cc2c26817b2ce49386 , < 26dfe112ec2e95fe0099681f6aec33da13c2dd8e (git) Affected: 5b9272e93f2efe3f6cda60cc2c26817b2ce49386 , < 559b6322f9480bff68cfa98d108991e945a4f284 (git) Affected: 5b9272e93f2efe3f6cda60cc2c26817b2ce49386 , < 6cdedc18ba7b9dacc36466e27e3267d201948c8d (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T19:30:24.987517Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T19:57:30.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:21.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/03358aba991668d3bb2c65b3c82aa32c36851170"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aedda066d717a0b4335d7e0a00b2e3a61e40afcf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/26dfe112ec2e95fe0099681f6aec33da13c2dd8e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/559b6322f9480bff68cfa98d108991e945a4f284"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6cdedc18ba7b9dacc36466e27e3267d201948c8d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "03358aba991668d3bb2c65b3c82aa32c36851170",
"status": "affected",
"version": "5b9272e93f2efe3f6cda60cc2c26817b2ce49386",
"versionType": "git"
},
{
"lessThan": "aedda066d717a0b4335d7e0a00b2e3a61e40afcf",
"status": "affected",
"version": "5b9272e93f2efe3f6cda60cc2c26817b2ce49386",
"versionType": "git"
},
{
"lessThan": "26dfe112ec2e95fe0099681f6aec33da13c2dd8e",
"status": "affected",
"version": "5b9272e93f2efe3f6cda60cc2c26817b2ce49386",
"versionType": "git"
},
{
"lessThan": "559b6322f9480bff68cfa98d108991e945a4f284",
"status": "affected",
"version": "5b9272e93f2efe3f6cda60cc2c26817b2ce49386",
"versionType": "git"
},
{
"lessThan": "6cdedc18ba7b9dacc36466e27e3267d201948c8d",
"status": "affected",
"version": "5b9272e93f2efe3f6cda60cc2c26817b2ce49386",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: prevent deadlock by changing j1939_socks_lock to rwlock\n\nThe following 3 locks would race against each other, causing the\ndeadlock situation in the Syzbot bug report:\n\n- j1939_socks_lock\n- active_session_list_lock\n- sk_session_queue_lock\n\nA reasonable fix is to change j1939_socks_lock to an rwlock, since in\nthe rare situations where a write lock is required for the linked list\nthat j1939_socks_lock is protecting, the code does not attempt to\nacquire any more locks. This would break the circular lock dependency,\nwhere, for example, the current thread already locks j1939_socks_lock\nand attempts to acquire sk_session_queue_lock, and at the same time,\nanother thread attempts to acquire j1939_socks_lock while holding\nsk_session_queue_lock.\n\nNOTE: This patch along does not fix the unregister_netdevice bug\nreported by Syzbot; instead, it solves a deadlock situation to prepare\nfor one or more further patches to actually fix the Syzbot bug, which\nappears to be a reference counting problem within the j1939 codebase.\n\n[mkl: remove unrelated newline change]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:16:55.570Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/03358aba991668d3bb2c65b3c82aa32c36851170"
},
{
"url": "https://git.kernel.org/stable/c/aedda066d717a0b4335d7e0a00b2e3a61e40afcf"
},
{
"url": "https://git.kernel.org/stable/c/26dfe112ec2e95fe0099681f6aec33da13c2dd8e"
},
{
"url": "https://git.kernel.org/stable/c/559b6322f9480bff68cfa98d108991e945a4f284"
},
{
"url": "https://git.kernel.org/stable/c/6cdedc18ba7b9dacc36466e27e3267d201948c8d"
}
],
"title": "can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52638",
"datePublished": "2024-04-03T14:54:41.271Z",
"dateReserved": "2024-03-06T09:52:12.093Z",
"dateUpdated": "2026-01-05T10:16:55.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39883 (GCVE-0-2025-39883)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
When I did memory failure tests, below panic occurs:
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))
kernel BUG at include/linux/page-flags.h:616!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Call Trace:
<TASK>
unpoison_memory+0x2f3/0x590
simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110
debugfs_attr_write+0x42/0x60
full_proxy_write+0x5b/0x80
vfs_write+0xd5/0x540
ksys_write+0x64/0xe0
do_syscall_64+0xb9/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08f0314887
RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887
RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001
RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00
</TASK>
Modules linked in: hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
The root cause is that unpoison_memory() tries to check the PG_HWPoison
flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is
triggered. This can be reproduced by below steps:
1.Offline memory block:
echo offline > /sys/devices/system/memory/memory12/state
2.Get offlined memory pfn:
page-types -b n -rlN
3.Write pfn to unpoison-pfn
echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn
This scenario can be identified by pfn_to_online_page() returning NULL.
And ZONE_DEVICE pages are never expected, so we can simply fail if
pfn_to_online_page() == NULL to fix the bug.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 8e01ea186a52c90694c08a9ff57bea1b0e78256a
(git)
Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < fb65803ccff37cf9123c50c1c02efd1ed73c4ed5 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 99f7048957f5ae3cee1c01189147e73a9a96de02 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < e4ec6def5643a1c9511115b3884eb879572294c6 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 7618fd443aa4cfa553a64cacf5721581653ee7b0 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < 63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96 (git) Affected: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe , < d613f53c83ec47089c4e25859d5e8e0359f6f8da (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:24.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e01ea186a52c90694c08a9ff57bea1b0e78256a",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "fb65803ccff37cf9123c50c1c02efd1ed73c4ed5",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "99f7048957f5ae3cee1c01189147e73a9a96de02",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "e4ec6def5643a1c9511115b3884eb879572294c6",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "7618fd443aa4cfa553a64cacf5721581653ee7b0",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "d613f53c83ec47089c4e25859d5e8e0359f6f8da",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\n\nWhen I did memory failure tests, below panic occurs:\n\npage dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))\nkernel BUG at include/linux/page-flags.h:616!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n unpoison_memory+0x2f3/0x590\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xd5/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xb9/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08f0314887\nRSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887\nRDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001\nRBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009\nR13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00\n \u003c/TASK\u003e\nModules linked in: hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe root cause is that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is\ntriggered. This can be reproduced by below steps:\n\n1.Offline memory block:\n\n echo offline \u003e /sys/devices/system/memory/memory12/state\n\n2.Get offlined memory pfn:\n\n page-types -b n -rlN\n\n3.Write pfn to unpoison-pfn\n\n echo \u003cpfn\u003e \u003e /sys/kernel/debug/hwpoison/unpoison-pfn\n\nThis scenario can be identified by pfn_to_online_page() returning NULL. \nAnd ZONE_DEVICE pages are never expected, so we can simply fail if\npfn_to_online_page() == NULL to fix the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:26.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e01ea186a52c90694c08a9ff57bea1b0e78256a"
},
{
"url": "https://git.kernel.org/stable/c/fb65803ccff37cf9123c50c1c02efd1ed73c4ed5"
},
{
"url": "https://git.kernel.org/stable/c/99f7048957f5ae3cee1c01189147e73a9a96de02"
},
{
"url": "https://git.kernel.org/stable/c/e4ec6def5643a1c9511115b3884eb879572294c6"
},
{
"url": "https://git.kernel.org/stable/c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a"
},
{
"url": "https://git.kernel.org/stable/c/7618fd443aa4cfa553a64cacf5721581653ee7b0"
},
{
"url": "https://git.kernel.org/stable/c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96"
},
{
"url": "https://git.kernel.org/stable/c/d613f53c83ec47089c4e25859d5e8e0359f6f8da"
}
],
"title": "mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39883",
"datePublished": "2025-09-23T06:00:51.548Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:24.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39993 (GCVE-0-2025-39993)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:58 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
media: rc: fix races with imon_disconnect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rc: fix races with imon_disconnect()
Syzbot reports a KASAN issue as below:
BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]
BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627
Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465
CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__create_pipe include/linux/usb.h:1945 [inline]
send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627
vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991
vfs_write+0x2d7/0xdd0 fs/read_write.c:576
ksys_write+0x127/0x250 fs/read_write.c:631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The iMON driver improperly releases the usb_device reference in
imon_disconnect without coordinating with active users of the
device.
Specifically, the fields usbdev_intf0 and usbdev_intf1 are not
protected by the users counter (ictx->users). During probe,
imon_init_intf0 or imon_init_intf1 increments the usb_device
reference count depending on the interface. However, during
disconnect, usb_put_dev is called unconditionally, regardless of
actual usage.
As a result, if vfd_write or other operations are still in
progress after disconnect, this can lead to a use-after-free of
the usb_device pointer.
Thread 1 vfd_write Thread 2 imon_disconnect
...
if
usb_put_dev(ictx->usbdev_intf0)
else
usb_put_dev(ictx->usbdev_intf1)
...
while
send_packet
if
pipe = usb_sndintpipe(
ictx->usbdev_intf0) UAF
else
pipe = usb_sndctrlpipe(
ictx->usbdev_intf0, 0) UAF
Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by
checking ictx->disconnected in all writer paths. Add early return
with -ENODEV in send_packet(), vfd_write(), lcd_write() and
display_open() if the device is no longer present.
Set and read ictx->disconnected under ictx->lock to ensure memory
synchronization. Acquire the lock in imon_disconnect() before setting
the flag to synchronize with any ongoing operations.
Ensure writers exit early and safely after disconnect before the USB
core proceeds with cleanup.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
21677cfc562a27e099719d413287bc8d1d24deb7 , < 9348976003e39754af344949579e824a0a210fc4
(git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < b03fac6e2a38331faf8510b480becfa90cea1c9f (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 71c52b073922d05e79e6de7fc7f5f38f927929a4 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 71096a6161a25e84acddb89a9d77f138502d26ab (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 71da40648741d15b302700b68973fe8b382aef3c (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < d9f6ce99624a41c3bcb29a8d7d79b800665229dd (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 2e7fd93b9cc565b839bc55a6662475718963e156 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < fa0f61cc1d828178aa921475a9b786e7fbb65ccb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9348976003e39754af344949579e824a0a210fc4",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "b03fac6e2a38331faf8510b480becfa90cea1c9f",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71c52b073922d05e79e6de7fc7f5f38f927929a4",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71096a6161a25e84acddb89a9d77f138502d26ab",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71da40648741d15b302700b68973fe8b382aef3c",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "d9f6ce99624a41c3bcb29a8d7d79b800665229dd",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "2e7fd93b9cc565b839bc55a6662475718963e156",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "fa0f61cc1d828178aa921475a9b786e7fbb65ccb",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: fix races with imon_disconnect()\n\nSyzbot reports a KASAN issue as below:\nBUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]\nBUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314/4465\n\nCPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n__create_pipe include/linux/usb.h:1945 [inline]\nsend_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nvfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991\nvfs_write+0x2d7/0xdd0 fs/read_write.c:576\nksys_write+0x127/0x250 fs/read_write.c:631\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe iMON driver improperly releases the usb_device reference in\nimon_disconnect without coordinating with active users of the\ndevice.\n\nSpecifically, the fields usbdev_intf0 and usbdev_intf1 are not\nprotected by the users counter (ictx-\u003eusers). During probe,\nimon_init_intf0 or imon_init_intf1 increments the usb_device\nreference count depending on the interface. However, during\ndisconnect, usb_put_dev is called unconditionally, regardless of\nactual usage.\n\nAs a result, if vfd_write or other operations are still in\nprogress after disconnect, this can lead to a use-after-free of\nthe usb_device pointer.\n\nThread 1 vfd_write Thread 2 imon_disconnect\n ...\n if\n usb_put_dev(ictx-\u003eusbdev_intf0)\n else\n usb_put_dev(ictx-\u003eusbdev_intf1)\n...\nwhile\n send_packet\n if\n pipe = usb_sndintpipe(\n ictx-\u003eusbdev_intf0) UAF\n else\n pipe = usb_sndctrlpipe(\n ictx-\u003eusbdev_intf0, 0) UAF\n\nGuard access to usbdev_intf0 and usbdev_intf1 after disconnect by\nchecking ictx-\u003edisconnected in all writer paths. Add early return\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and\ndisplay_open() if the device is no longer present.\n\nSet and read ictx-\u003edisconnected under ictx-\u003elock to ensure memory\nsynchronization. Acquire the lock in imon_disconnect() before setting\nthe flag to synchronize with any ongoing operations.\n\nEnsure writers exit early and safely after disconnect before the USB\ncore proceeds with cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:03.732Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9348976003e39754af344949579e824a0a210fc4"
},
{
"url": "https://git.kernel.org/stable/c/b03fac6e2a38331faf8510b480becfa90cea1c9f"
},
{
"url": "https://git.kernel.org/stable/c/71c52b073922d05e79e6de7fc7f5f38f927929a4"
},
{
"url": "https://git.kernel.org/stable/c/71096a6161a25e84acddb89a9d77f138502d26ab"
},
{
"url": "https://git.kernel.org/stable/c/71da40648741d15b302700b68973fe8b382aef3c"
},
{
"url": "https://git.kernel.org/stable/c/fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5"
},
{
"url": "https://git.kernel.org/stable/c/d9f6ce99624a41c3bcb29a8d7d79b800665229dd"
},
{
"url": "https://git.kernel.org/stable/c/2e7fd93b9cc565b839bc55a6662475718963e156"
},
{
"url": "https://git.kernel.org/stable/c/fa0f61cc1d828178aa921475a9b786e7fbb65ccb"
}
],
"title": "media: rc: fix races with imon_disconnect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39993",
"datePublished": "2025-10-15T07:58:18.621Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-12-01T06:16:03.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40141 (GCVE-0-2025-40141)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
Bluetooth: ISO: Fix possible UAF on iso_conn_free
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Fix possible UAF on iso_conn_free
This attempt to fix similar issue to sco_conn_free where if the
conn->sk is not set to NULL may lead to UAF on iso_conn_free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ccf74f2390d60a2f9a75ef496d2564abb478f46a , < eba6d787ec117a5d2c60f9644e0a39c18542b6be
(git)
Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 5319145a07d8bf5b0782b25cb3115825689d42bb (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 80689777919f02328eb873769de4647c9dd3e371 (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < c92ad1a155ccfa38b87bd1d998287e1c0a24248d (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eba6d787ec117a5d2c60f9644e0a39c18542b6be",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "5319145a07d8bf5b0782b25cb3115825689d42bb",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "80689777919f02328eb873769de4647c9dd3e371",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "c92ad1a155ccfa38b87bd1d998287e1c0a24248d",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix possible UAF on iso_conn_free\n\nThis attempt to fix similar issue to sco_conn_free where if the\nconn-\u003esk is not set to NULL may lead to UAF on iso_conn_free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:49.584Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eba6d787ec117a5d2c60f9644e0a39c18542b6be"
},
{
"url": "https://git.kernel.org/stable/c/5319145a07d8bf5b0782b25cb3115825689d42bb"
},
{
"url": "https://git.kernel.org/stable/c/80689777919f02328eb873769de4647c9dd3e371"
},
{
"url": "https://git.kernel.org/stable/c/c92ad1a155ccfa38b87bd1d998287e1c0a24248d"
},
{
"url": "https://git.kernel.org/stable/c/9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8"
}
],
"title": "Bluetooth: ISO: Fix possible UAF on iso_conn_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40141",
"datePublished": "2025-11-12T10:23:24.856Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:49.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39898 (GCVE-0-2025-39898)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2025-10-24 11:41
VLAI?
EPSS
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-24T11:41:53.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39898",
"datePublished": "2025-10-01T07:42:46.360Z",
"dateRejected": "2025-10-24T11:41:53.958Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-24T11:41:53.958Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39825 (GCVE-0-2025-39825)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
smb: client: fix race with concurrent opens in rename(2)
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix race with concurrent opens in rename(2)
Besides sending the rename request to the server, the rename process
also involves closing any deferred close, waiting for outstanding I/O
to complete as well as marking all existing open handles as deleted to
prevent them from deferring closes, which increases the race window
for potential concurrent opens on the target file.
Fix this by unhashing the dentry in advance to prevent any concurrent
opens on the target.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
78c09634f7dc061a3bd09704cdbebb3762a45cdf , < c9e7de284da0be5b44dbe79d71573f9f7f9b144c
(git)
Affected: 78c09634f7dc061a3bd09704cdbebb3762a45cdf , < 24b9ed739c8c5b464d983e12cf308982f3ae93c2 (git) Affected: 78c09634f7dc061a3bd09704cdbebb3762a45cdf , < c9991af5e09924f6f3b3e6996a5e09f9504b4358 (git) Affected: 78c09634f7dc061a3bd09704cdbebb3762a45cdf , < 289f945acb20b9b54fe4d13895e44aa58965ddb2 (git) Affected: 78c09634f7dc061a3bd09704cdbebb3762a45cdf , < d84291fc7453df7881a970716f8256273aca5747 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:46.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9e7de284da0be5b44dbe79d71573f9f7f9b144c",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
},
{
"lessThan": "24b9ed739c8c5b464d983e12cf308982f3ae93c2",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
},
{
"lessThan": "c9991af5e09924f6f3b3e6996a5e09f9504b4358",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
},
{
"lessThan": "289f945acb20b9b54fe4d13895e44aa58965ddb2",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
},
{
"lessThan": "d84291fc7453df7881a970716f8256273aca5747",
"status": "affected",
"version": "78c09634f7dc061a3bd09704cdbebb3762a45cdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix race with concurrent opens in rename(2)\n\nBesides sending the rename request to the server, the rename process\nalso involves closing any deferred close, waiting for outstanding I/O\nto complete as well as marking all existing open handles as deleted to\nprevent them from deferring closes, which increases the race window\nfor potential concurrent opens on the target file.\n\nFix this by unhashing the dentry in advance to prevent any concurrent\nopens on the target."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:35.968Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9e7de284da0be5b44dbe79d71573f9f7f9b144c"
},
{
"url": "https://git.kernel.org/stable/c/24b9ed739c8c5b464d983e12cf308982f3ae93c2"
},
{
"url": "https://git.kernel.org/stable/c/c9991af5e09924f6f3b3e6996a5e09f9504b4358"
},
{
"url": "https://git.kernel.org/stable/c/289f945acb20b9b54fe4d13895e44aa58965ddb2"
},
{
"url": "https://git.kernel.org/stable/c/d84291fc7453df7881a970716f8256273aca5747"
}
],
"title": "smb: client: fix race with concurrent opens in rename(2)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39825",
"datePublished": "2025-09-16T13:00:23.897Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2026-01-02T15:32:35.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38051 (GCVE-0-2025-38051)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-11-03 17:33
VLAI?
EPSS
Title
smb: client: Fix use-after-free in cifs_fill_dirent
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Fix use-after-free in cifs_fill_dirent
There is a race condition in the readdir concurrency process, which may
access the rsp buffer after it has been released, triggering the
following KASAN warning.
==================================================================
BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
Read of size 4 at addr ffff8880099b819c by task a.out/342975
CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_report+0xce/0x640
kasan_report+0xb8/0xf0
cifs_fill_dirent+0xb03/0xb60 [cifs]
cifs_readdir+0x12cb/0x3190 [cifs]
iterate_dir+0x1a1/0x520
__x64_sys_getdents+0x134/0x220
do_syscall_64+0x4b/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f996f64b9f9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8
RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
</TASK>
Allocated by task 408:
kasan_save_stack+0x20/0x40
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x6e/0x70
kmem_cache_alloc_noprof+0x117/0x3d0
mempool_alloc_noprof+0xf2/0x2c0
cifs_buf_get+0x36/0x80 [cifs]
allocate_buffers+0x1d2/0x330 [cifs]
cifs_demultiplex_thread+0x22b/0x2690 [cifs]
kthread+0x394/0x720
ret_from_fork+0x34/0x70
ret_from_fork_asm+0x1a/0x30
Freed by task 342979:
kasan_save_stack+0x20/0x40
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x37/0x50
kmem_cache_free+0x2b8/0x500
cifs_buf_release+0x3c/0x70 [cifs]
cifs_readdir+0x1c97/0x3190 [cifs]
iterate_dir+0x1a1/0x520
__x64_sys_getdents64+0x134/0x220
do_syscall_64+0x4b/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The buggy address belongs to the object at ffff8880099b8000
which belongs to the cache cifs_request of size 16588
The buggy address is located 412 bytes inside of
freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
POC is available in the link [1].
The problem triggering process is as follows:
Process 1 Process 2
-----------------------------------
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < aee067e88d61eb72e966f094e4749c6b14e7008f
(git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 1b197931fbc821bc7e9e91bf619400db563e3338 (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < c8623231e0edfcccb7cc6add0288fa0f0594282f (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 73cadde98f67f76c5eba00ac0b72c453383cec8b (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 9bea368648ac46f8593a780760362e40291d22a9 (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 9c9aafbacc183598f064902365e107b5e856531f (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < a7a8fe56e932a36f43e031b398aef92341bf5ea0 (git) Affected: 0f3da51e7046e2eb28992ba65c22d058f571356c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:23.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/readdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aee067e88d61eb72e966f094e4749c6b14e7008f",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "1b197931fbc821bc7e9e91bf619400db563e3338",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "c8623231e0edfcccb7cc6add0288fa0f0594282f",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "73cadde98f67f76c5eba00ac0b72c453383cec8b",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "9bea368648ac46f8593a780760362e40291d22a9",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "9c9aafbacc183598f064902365e107b5e856531f",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "a7a8fe56e932a36f43e031b398aef92341bf5ea0",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"status": "affected",
"version": "0f3da51e7046e2eb28992ba65c22d058f571356c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/readdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.27.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x640\n kasan_report+0xb8/0xf0\n cifs_fill_dirent+0xb03/0xb60 [cifs]\n cifs_readdir+0x12cb/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\n f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n \u003c/TASK\u003e\n\n Allocated by task 408:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_noprof+0x117/0x3d0\n mempool_alloc_noprof+0xf2/0x2c0\n cifs_buf_get+0x36/0x80 [cifs]\n allocate_buffers+0x1d2/0x330 [cifs]\n cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n kthread+0x394/0x720\n ret_from_fork+0x34/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0x2b8/0x500\n cifs_buf_release+0x3c/0x70 [cifs]\n cifs_readdir+0x1c97/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents64+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n \u003effff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1 Process 2\n-----------------------------------\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T09:33:32.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f"
},
{
"url": "https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e"
},
{
"url": "https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338"
},
{
"url": "https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f"
},
{
"url": "https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b"
},
{
"url": "https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9"
},
{
"url": "https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f"
},
{
"url": "https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0"
}
],
"title": "smb: client: Fix use-after-free in cifs_fill_dirent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38051",
"datePublished": "2025-06-18T09:33:32.805Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2025-11-03T17:33:23.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40240 (GCVE-0-2025-40240)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
sctp: avoid NULL dereference when chunk data buffer is missing
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: avoid NULL dereference when chunk data buffer is missing
chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.
chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90017accff61ae89283ad9a51f9ac46ca01633fb , < 61cda2777b07d27459f5cac5a047c3edf9c8a1a9
(git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 08165c296597075763130919f2aae59b5822f016 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < cb9055ba30306ede4ad920002233d0659982f1cb (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 7a832b0f99be19df608cb75c023f8027b1789bd1 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 89b465b54227c245ddc7cc9ed822231af21123ef (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 441f0647f7673e0e64d4910ef61a5fb8f16bfb82 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61cda2777b07d27459f5cac5a047c3edf9c8a1a9",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "08165c296597075763130919f2aae59b5822f016",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "cb9055ba30306ede4ad920002233d0659982f1cb",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "7a832b0f99be19df608cb75c023f8027b1789bd1",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "89b465b54227c245ddc7cc9ed822231af21123ef",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "441f0647f7673e0e64d4910ef61a5fb8f16bfb82",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\nto be NULL only.\n\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\notherwise chunk-\u003eskb is non-NULL because of outer if() condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:29.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"
},
{
"url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"
},
{
"url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"
},
{
"url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"
},
{
"url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"
},
{
"url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"
},
{
"url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"
},
{
"url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"
}
],
"title": "sctp: avoid NULL dereference when chunk data buffer is missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40240",
"datePublished": "2025-12-04T15:31:29.715Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T15:31:29.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68285 (GCVE-0-2025-68285)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
libceph: fix potential use-after-free in have_mon_and_osd_map()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix potential use-after-free in have_mon_and_osd_map()
The wait loop in __ceph_open_session() can race with the client
receiving a new monmap or osdmap shortly after the initial map is
received. Both ceph_monc_handle_map() and handle_one_map() install
a new map immediately after freeing the old one
kfree(monc->monmap);
monc->monmap = monmap;
ceph_osdmap_destroy(osdc->osdmap);
osdc->osdmap = newmap;
under client->monc.mutex and client->osdc.lock respectively, but
because neither is taken in have_mon_and_osd_map() it's possible for
client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in
client->monc.monmap && client->monc.monmap->epoch &&
client->osdc.osdmap && client->osdc.osdmap->epoch;
condition to dereference an already freed map. This happens to be
reproducible with generic/395 and generic/397 with KASAN enabled:
BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70
Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305
CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266
...
Call Trace:
<TASK>
have_mon_and_osd_map+0x56/0x70
ceph_open_session+0x182/0x290
ceph_get_tree+0x333/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Allocated by task 13305:
ceph_osdmap_alloc+0x16/0x130
ceph_osdc_init+0x27a/0x4c0
ceph_create_client+0x153/0x190
create_fs_client+0x50/0x2a0
ceph_get_tree+0xff/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 9475:
kfree+0x212/0x290
handle_one_map+0x23c/0x3b0
ceph_osdc_handle_map+0x3c9/0x590
mon_dispatch+0x655/0x6f0
ceph_con_process_message+0xc3/0xe0
ceph_con_v1_try_read+0x614/0x760
ceph_con_workfn+0x2de/0x650
process_one_work+0x486/0x7c0
process_scheduled_works+0x73/0x90
worker_thread+0x1c8/0x2a0
kthread+0x2ec/0x300
ret_from_fork+0x24/0x40
ret_from_fork_asm+0x1a/0x30
Rewrite the wait loop to check the above condition directly with
client->monc.mutex and client->osdc.lock taken as appropriate. While
at it, improve the timeout handling (previously mount_timeout could be
exceeded in case wait_event_interruptible_timeout() slept more than
once) and access client->auth_err under client->monc.mutex to match
how it's set in finish_auth().
monmap_show() and osdmap_show() now take the respective lock before
accessing the map as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < bb4910c5fd436701faf367e1b5476a5a6d2aff1c
(git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 05ec43e9a9de67132dc8cd3b22afef001574947f (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 7c8ccdc1714d9fabecd26e1be7db1771061acc6e (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 183ad6e3b651e8fb0b66d6a2678f4b80bfbba092 (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < e08021b3b56b2407f37b5fe47b654be80cc665fb (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 3fc43120b22a3d4f1fbeff56a35ce2105b6a5683 (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 076381c261374c587700b3accf410bdd2dba334e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/ceph_common.c",
"net/ceph/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb4910c5fd436701faf367e1b5476a5a6d2aff1c",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "05ec43e9a9de67132dc8cd3b22afef001574947f",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "7c8ccdc1714d9fabecd26e1be7db1771061acc6e",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "183ad6e3b651e8fb0b66d6a2678f4b80bfbba092",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "e08021b3b56b2407f37b5fe47b654be80cc665fb",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "3fc43120b22a3d4f1fbeff56a35ce2105b6a5683",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "076381c261374c587700b3accf410bdd2dba334e",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/ceph_common.c",
"net/ceph/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived. Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n kfree(monc-\u003emonmap);\n monc-\u003emonmap = monmap;\n\n ceph_osdmap_destroy(osdc-\u003eosdmap);\n osdc-\u003eosdmap = newmap;\n\nunder client-\u003emonc.mutex and client-\u003eosdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it\u0027s possible for\nclient-\u003emonc.monmap-\u003eepoch and client-\u003eosdc.osdmap-\u003eepoch arms in\n\n client-\u003emonc.monmap \u0026\u0026 client-\u003emonc.monmap-\u003eepoch \u0026\u0026\n client-\u003eosdc.osdmap \u0026\u0026 client-\u003eosdc.osdmap-\u003eepoch;\n\ncondition to dereference an already freed map. This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n ...\n Call Trace:\n \u003cTASK\u003e\n have_mon_and_osd_map+0x56/0x70\n ceph_open_session+0x182/0x290\n ceph_get_tree+0x333/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\n Allocated by task 13305:\n ceph_osdmap_alloc+0x16/0x130\n ceph_osdc_init+0x27a/0x4c0\n ceph_create_client+0x153/0x190\n create_fs_client+0x50/0x2a0\n ceph_get_tree+0xff/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Freed by task 9475:\n kfree+0x212/0x290\n handle_one_map+0x23c/0x3b0\n ceph_osdc_handle_map+0x3c9/0x590\n mon_dispatch+0x655/0x6f0\n ceph_con_process_message+0xc3/0xe0\n ceph_con_v1_try_read+0x614/0x760\n ceph_con_workfn+0x2de/0x650\n process_one_work+0x486/0x7c0\n process_scheduled_works+0x73/0x90\n worker_thread+0x1c8/0x2a0\n kthread+0x2ec/0x300\n ret_from_fork+0x24/0x40\n ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient-\u003emonc.mutex and client-\u003eosdc.lock taken as appropriate. While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client-\u003eauth_err under client-\u003emonc.mutex to match\nhow it\u0027s set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:50.454Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c"
},
{
"url": "https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f"
},
{
"url": "https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e"
},
{
"url": "https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092"
},
{
"url": "https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb"
},
{
"url": "https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683"
},
{
"url": "https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e"
}
],
"title": "libceph: fix potential use-after-free in have_mon_and_osd_map()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68285",
"datePublished": "2025-12-16T15:06:07.078Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-01-02T15:34:50.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68287 (GCVE-0-2025-68287)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking `dwc3_remove_requests()`,
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with `dwc3_remove_requests()`:
Path 1:
Triggered via `dwc3_gadget_reset_interrupt()` during USB reset
handling. The call stack includes:
- `dwc3_ep0_reset_state()`
- `dwc3_ep0_stall_and_restart()`
- `dwc3_ep0_out_start()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 2:
Also initiated from `dwc3_gadget_reset_interrupt()`, but through
`dwc3_stop_active_transfers()`. The call stack includes:
- `dwc3_stop_active_transfers()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 3:
Occurs independently during `adb root` execution, which triggers
USB function unbind and bind operations. The sequence includes:
- `gserial_disconnect()`
- `usb_ep_disable()`
- `dwc3_gadget_ep_disable()`
- `dwc3_remove_requests()` with `-ESHUTDOWN` status
Path 3 operates asynchronously and lacks synchronization with Paths
1 and 2. When Path 3 completes, it disables endpoints and frees 'out'
requests. If Paths 1 or 2 are still processing these requests,
accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing
if already completed and added the request status for ep0 while queue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72246da40f3719af3bfd104a2365b32537c27d83 , < 467add9db13219101f14b6cc5477998b4aaa5fe2
(git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 67192e8cb7f941b5bba91e4bb290683576ce1607 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 47de14d741cc4057046c9e2f33df1f7828254e6c (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < afc0e34f161ce61ad351303c46eb57bd44b8b090 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 7cfb62888eba292fa35cd9ddbd28ce595f60e139 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < fa5eaf701e576880070b60922200557ae4aa54e1 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < e4037689a366743c4233966f0e74bc455820d316 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "467add9db13219101f14b6cc5477998b4aaa5fe2",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "67192e8cb7f941b5bba91e4bb290683576ce1607",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "47de14d741cc4057046c9e2f33df1f7828254e6c",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "afc0e34f161ce61ad351303c46eb57bd44b8b090",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "7cfb62888eba292fa35cd9ddbd28ce595f60e139",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "fa5eaf701e576880070b60922200557ae4aa54e1",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "e4037689a366743c4233966f0e74bc455820d316",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths\n\nThis patch addresses a race condition caused by unsynchronized\nexecution of multiple call paths invoking `dwc3_remove_requests()`,\nleading to premature freeing of USB requests and subsequent crashes.\n\nThree distinct execution paths interact with `dwc3_remove_requests()`:\nPath 1:\nTriggered via `dwc3_gadget_reset_interrupt()` during USB reset\nhandling. The call stack includes:\n- `dwc3_ep0_reset_state()`\n- `dwc3_ep0_stall_and_restart()`\n- `dwc3_ep0_out_start()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 2:\nAlso initiated from `dwc3_gadget_reset_interrupt()`, but through\n`dwc3_stop_active_transfers()`. The call stack includes:\n- `dwc3_stop_active_transfers()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 3:\nOccurs independently during `adb root` execution, which triggers\nUSB function unbind and bind operations. The sequence includes:\n- `gserial_disconnect()`\n- `usb_ep_disable()`\n- `dwc3_gadget_ep_disable()`\n- `dwc3_remove_requests()` with `-ESHUTDOWN` status\n\nPath 3 operates asynchronously and lacks synchronization with Paths\n1 and 2. When Path 3 completes, it disables endpoints and frees \u0027out\u0027\nrequests. If Paths 1 or 2 are still processing these requests,\naccessing freed memory leads to a crash due to use-after-free conditions.\n\nTo fix this added check for request completion and skip processing\nif already completed and added the request status for ep0 while queue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:08.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2"
},
{
"url": "https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607"
},
{
"url": "https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c"
},
{
"url": "https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090"
},
{
"url": "https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139"
},
{
"url": "https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1"
},
{
"url": "https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316"
}
],
"title": "usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68287",
"datePublished": "2025-12-16T15:06:08.711Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:08.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39806 (GCVE-0-2025-39806)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
A malicious HID device can trigger a slab out-of-bounds during
mt_report_fixup() by passing in report descriptor smaller than
607 bytes. mt_report_fixup() attempts to patch byte offset 607
of the descriptor with 0x25 by first checking if byte offset
607 is 0x15 however it lacks bounds checks to verify if the
descriptor is big enough before conducting this check. Fix
this bug by ensuring the descriptor size is at least 608
bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 , < 4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d
(git)
Affected: 45ec9f17ce46417fc4eccecf388c99e81fb7fcc1 , < 7ab7311c43ae19c66c53ccd8c5052a9072a4e338 (git) Affected: 1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b , < d4e6e2680807671e1c73cd6a986b33659ce92f2b (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < 3055309821dd3da92888f88bad10f0324c3c89fe (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < c13e95587583d018cfbcc277df7e02d41902ac5a (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < 0379eb8691b9c4477da0277ae0832036ca4410b4 (git) Affected: d189e24a42b8bd0ece3d28801d751bf66dba8e92 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:32.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d",
"status": "affected",
"version": "7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0",
"versionType": "git"
},
{
"lessThan": "7ab7311c43ae19c66c53ccd8c5052a9072a4e338",
"status": "affected",
"version": "45ec9f17ce46417fc4eccecf388c99e81fb7fcc1",
"versionType": "git"
},
{
"lessThan": "d4e6e2680807671e1c73cd6a986b33659ce92f2b",
"status": "affected",
"version": "1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b",
"versionType": "git"
},
{
"lessThan": "3055309821dd3da92888f88bad10f0324c3c89fe",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "c13e95587583d018cfbcc277df7e02d41902ac5a",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "0379eb8691b9c4477da0277ae0832036ca4410b4",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"status": "affected",
"version": "d189e24a42b8bd0ece3d28801d751bf66dba8e92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "6.1.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "6.6.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\n\nA malicious HID device can trigger a slab out-of-bounds during\nmt_report_fixup() by passing in report descriptor smaller than\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\nof the descriptor with 0x25 by first checking if byte offset\n607 is 0x15 however it lacks bounds checks to verify if the\ndescriptor is big enough before conducting this check. Fix\nthis bug by ensuring the descriptor size is at least 608\nbytes before accessing it.\n\nBelow is the KASAN splat after the out of bounds access happens:\n\n[ 13.671954] ==================================================================\n[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\n[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\n[ 13.673297]\n[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\n[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\n[ 13.673297] Call Trace:\n[ 13.673297] \u003cTASK\u003e\n[ 13.673297] dump_stack_lvl+0x5f/0x80\n[ 13.673297] print_report+0xd1/0x660\n[ 13.673297] kasan_report+0xe5/0x120\n[ 13.673297] __asan_report_load1_noabort+0x18/0x20\n[ 13.673297] mt_report_fixup+0x103/0x110\n[ 13.673297] hid_open_report+0x1ef/0x810\n[ 13.673297] mt_probe+0x422/0x960\n[ 13.673297] hid_device_probe+0x2e2/0x6f0\n[ 13.673297] really_probe+0x1c6/0x6b0\n[ 13.673297] __driver_probe_device+0x24f/0x310\n[ 13.673297] driver_probe_device+0x4e/0x220\n[ 13.673297] __device_attach_driver+0x169/0x320\n[ 13.673297] bus_for_each_drv+0x11d/0x1b0\n[ 13.673297] __device_attach+0x1b8/0x3e0\n[ 13.673297] device_initial_probe+0x12/0x20\n[ 13.673297] bus_probe_device+0x13d/0x180\n[ 13.673297] device_add+0xe3a/0x1670\n[ 13.673297] hid_add_device+0x31d/0xa40\n[...]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:48.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d"
},
{
"url": "https://git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338"
},
{
"url": "https://git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2b"
},
{
"url": "https://git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fe"
},
{
"url": "https://git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5a"
},
{
"url": "https://git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4"
}
],
"title": "HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39806",
"datePublished": "2025-09-16T13:00:09.524Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2025-11-03T17:43:32.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39971 (GCVE-0-2025-39971)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
i40e: fix idx validation in config queues msg
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix idx validation in config queues msg
Ensure idx is within range of active/initialized TCs when iterating over
vf->ch[idx] in i40e_vc_config_queues_msg().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < a6ff2af78343eceb0f77ab1a2fe802183bc21648
(git)
Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < f5f91d164af22e7147130ef8bebbdb28d8ecc6e2 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 1fa0aadade34481c567cdf4a897c0d4e4d548bd1 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 8b9c7719b0987b1c6c5fc910599f3618a558dbde (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 2cc26dac0518d2fa9b67ec813ee60e183480f98a (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < 5c1f96123113e0bdc6d8dc2b0830184c93da9f65 (git) Affected: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 , < f1ad24c5abe1eaef69158bac1405a74b3c365115 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6ff2af78343eceb0f77ab1a2fe802183bc21648",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "f5f91d164af22e7147130ef8bebbdb28d8ecc6e2",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "1fa0aadade34481c567cdf4a897c0d4e4d548bd1",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "8b9c7719b0987b1c6c5fc910599f3618a558dbde",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "2cc26dac0518d2fa9b67ec813ee60e183480f98a",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "5c1f96123113e0bdc6d8dc2b0830184c93da9f65",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "f1ad24c5abe1eaef69158bac1405a74b3c365115",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in config queues msg\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf-\u003ech[idx] in i40e_vc_config_queues_msg()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:54.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6ff2af78343eceb0f77ab1a2fe802183bc21648"
},
{
"url": "https://git.kernel.org/stable/c/f5f91d164af22e7147130ef8bebbdb28d8ecc6e2"
},
{
"url": "https://git.kernel.org/stable/c/1fa0aadade34481c567cdf4a897c0d4e4d548bd1"
},
{
"url": "https://git.kernel.org/stable/c/8b9c7719b0987b1c6c5fc910599f3618a558dbde"
},
{
"url": "https://git.kernel.org/stable/c/2cc26dac0518d2fa9b67ec813ee60e183480f98a"
},
{
"url": "https://git.kernel.org/stable/c/bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b"
},
{
"url": "https://git.kernel.org/stable/c/5c1f96123113e0bdc6d8dc2b0830184c93da9f65"
},
{
"url": "https://git.kernel.org/stable/c/f1ad24c5abe1eaef69158bac1405a74b3c365115"
}
],
"title": "i40e: fix idx validation in config queues msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39971",
"datePublished": "2025-10-15T07:55:54.270Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:54.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53513 (GCVE-0-2023-53513)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:46 – Updated: 2026-01-05 10:21
VLAI?
EPSS
Title
nbd: fix incomplete validation of ioctl arg
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: fix incomplete validation of ioctl arg
We tested and found an alarm caused by nbd_ioctl arg without verification.
The UBSAN warning calltrace like below:
UBSAN: Undefined behaviour in fs/buffer.c:1709:35
signed integer overflow:
-9223372036854775808 - 1 cannot be represented in type 'long long int'
CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78
show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x170/0x1dc lib/dump_stack.c:118
ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161
handle_overflow+0x188/0x1dc lib/ubsan.c:192
__ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206
__block_write_full_page+0x94c/0xa20 fs/buffer.c:1709
block_write_full_page+0x1f0/0x280 fs/buffer.c:2934
blkdev_writepage+0x34/0x40 fs/block_dev.c:607
__writepage+0x68/0xe8 mm/page-writeback.c:2305
write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240
generic_writepages+0xdc/0x148 mm/page-writeback.c:2329
blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114
do_writepages+0xd4/0x250 mm/page-writeback.c:2344
The reason for triggering this warning is __block_write_full_page()
-> i_size_read(inode) - 1 overflow.
inode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize.
We think it is necessary to limit the size of arg to prevent errors.
Moreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int.
Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine),
it will become 1 after the coercion, which will return unexpected results.
Fix it by adding checks to prevent passing in too large numbers.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b9c495bb6d8edc719fd23af2ac67de8303cfc1e8 , < 52851d0c3354b397c11d31dfeb8b2a2fc85a0002
(git)
Affected: b9c495bb6d8edc719fd23af2ac67de8303cfc1e8 , < fab766c8a1aff715bce7075aab40e780266f8e1a (git) Affected: b9c495bb6d8edc719fd23af2ac67de8303cfc1e8 , < ffb75ffaa68723276365d0f9d00b03362b750657 (git) Affected: b9c495bb6d8edc719fd23af2ac67de8303cfc1e8 , < 55793ea54d77719a071b1ccc05a05056e3b5e009 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52851d0c3354b397c11d31dfeb8b2a2fc85a0002",
"status": "affected",
"version": "b9c495bb6d8edc719fd23af2ac67de8303cfc1e8",
"versionType": "git"
},
{
"lessThan": "fab766c8a1aff715bce7075aab40e780266f8e1a",
"status": "affected",
"version": "b9c495bb6d8edc719fd23af2ac67de8303cfc1e8",
"versionType": "git"
},
{
"lessThan": "ffb75ffaa68723276365d0f9d00b03362b750657",
"status": "affected",
"version": "b9c495bb6d8edc719fd23af2ac67de8303cfc1e8",
"versionType": "git"
},
{
"lessThan": "55793ea54d77719a071b1ccc05a05056e3b5e009",
"status": "affected",
"version": "b9c495bb6d8edc719fd23af2ac67de8303cfc1e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix incomplete validation of ioctl arg\n\nWe tested and found an alarm caused by nbd_ioctl arg without verification.\nThe UBSAN warning calltrace like below:\n\nUBSAN: Undefined behaviour in fs/buffer.c:1709:35\nsigned integer overflow:\n-9223372036854775808 - 1 cannot be represented in type \u0027long long int\u0027\nCPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78\n show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x170/0x1dc lib/dump_stack.c:118\n ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161\n handle_overflow+0x188/0x1dc lib/ubsan.c:192\n __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206\n __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709\n block_write_full_page+0x1f0/0x280 fs/buffer.c:2934\n blkdev_writepage+0x34/0x40 fs/block_dev.c:607\n __writepage+0x68/0xe8 mm/page-writeback.c:2305\n write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240\n generic_writepages+0xdc/0x148 mm/page-writeback.c:2329\n blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114\n do_writepages+0xd4/0x250 mm/page-writeback.c:2344\n\nThe reason for triggering this warning is __block_write_full_page()\n-\u003e i_size_read(inode) - 1 overflow.\ninode-\u003ei_size is assigned in __nbd_ioctl() -\u003e nbd_set_size() -\u003e bytesize.\nWe think it is necessary to limit the size of arg to prevent errors.\n\nMoreover, __nbd_ioctl() -\u003e nbd_add_socket(), arg will be cast to int.\nAssuming the value of arg is 0x80000000000000001) (on a 64-bit machine),\nit will become 1 after the coercion, which will return unexpected results.\n\nFix it by adding checks to prevent passing in too large numbers."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:21:04.790Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52851d0c3354b397c11d31dfeb8b2a2fc85a0002"
},
{
"url": "https://git.kernel.org/stable/c/fab766c8a1aff715bce7075aab40e780266f8e1a"
},
{
"url": "https://git.kernel.org/stable/c/ffb75ffaa68723276365d0f9d00b03362b750657"
},
{
"url": "https://git.kernel.org/stable/c/55793ea54d77719a071b1ccc05a05056e3b5e009"
}
],
"title": "nbd: fix incomplete validation of ioctl arg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53513",
"datePublished": "2025-10-01T11:46:01.717Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2026-01-05T10:21:04.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50447 (GCVE-0-2022-50447)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2025-10-01 11:45
VLAI?
EPSS
Title
Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
When attempting to connect multiple ISO sockets without using
DEFER_SETUP may result in the following crash:
BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0
Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50
CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted
6.0.0-rc7-02243-gb84a13ff4eda #4373
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS 1.16.0-1.fc36 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x19/0x27
kasan_report+0xbc/0xf0
? hci_create_cis_sync+0x18b/0x2b0
hci_create_cis_sync+0x18b/0x2b0
? get_link_mode+0xd0/0xd0
? __ww_mutex_lock_slowpath+0x10/0x10
? mutex_lock+0xe0/0xe0
? get_link_mode+0xd0/0xd0
hci_cmd_sync_work+0x111/0x190
process_one_work+0x427/0x650
worker_thread+0x87/0x750
? process_one_work+0x650/0x650
kthread+0x14e/0x180
? kthread_exit+0x50/0x50
ret_from_fork+0x22/0x30
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
26afbd826ee326e63a334c37fd45e82e50a615ec , < a190cd9dc62d6ebeb679c1abe9dda4162dfefc84
(git)
Affected: 26afbd826ee326e63a334c37fd45e82e50a615ec , < 09a3b0c9c7c6b10587fbb610b718014703cff341 (git) Affected: 26afbd826ee326e63a334c37fd45e82e50a615ec , < 50757a259ba78c4e938b5735e76ffec6cd0c942e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a190cd9dc62d6ebeb679c1abe9dda4162dfefc84",
"status": "affected",
"version": "26afbd826ee326e63a334c37fd45e82e50a615ec",
"versionType": "git"
},
{
"lessThan": "09a3b0c9c7c6b10587fbb610b718014703cff341",
"status": "affected",
"version": "26afbd826ee326e63a334c37fd45e82e50a615ec",
"versionType": "git"
},
{
"lessThan": "50757a259ba78c4e938b5735e76ffec6cd0c942e",
"status": "affected",
"version": "26afbd826ee326e63a334c37fd45e82e50a615ec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix crash on hci_create_cis_sync\n\nWhen attempting to connect multiple ISO sockets without using\nDEFER_SETUP may result in the following crash:\n\nBUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0\nRead of size 2 at addr 0000000000000036 by task kworker/u3:1/50\n\nCPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted\n6.0.0-rc7-02243-gb84a13ff4eda #4373\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009),\nBIOS 1.16.0-1.fc36 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x19/0x27\n kasan_report+0xbc/0xf0\n ? hci_create_cis_sync+0x18b/0x2b0\n hci_create_cis_sync+0x18b/0x2b0\n ? get_link_mode+0xd0/0xd0\n ? __ww_mutex_lock_slowpath+0x10/0x10\n ? mutex_lock+0xe0/0xe0\n ? get_link_mode+0xd0/0xd0\n hci_cmd_sync_work+0x111/0x190\n process_one_work+0x427/0x650\n worker_thread+0x87/0x750\n ? process_one_work+0x650/0x650\n kthread+0x14e/0x180\n ? kthread_exit+0x50/0x50\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:21.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a190cd9dc62d6ebeb679c1abe9dda4162dfefc84"
},
{
"url": "https://git.kernel.org/stable/c/09a3b0c9c7c6b10587fbb610b718014703cff341"
},
{
"url": "https://git.kernel.org/stable/c/50757a259ba78c4e938b5735e76ffec6cd0c942e"
}
],
"title": "Bluetooth: hci_conn: Fix crash on hci_create_cis_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50447",
"datePublished": "2025-10-01T11:45:21.804Z",
"dateReserved": "2025-09-17T14:53:07.011Z",
"dateUpdated": "2025-10-01T11:45:21.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40176 (GCVE-0-2025-40176)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:53 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
tls: wait for pending async decryptions if tls_strp_msg_hold fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: wait for pending async decryptions if tls_strp_msg_hold fails
Async decryption calls tls_strp_msg_hold to create a clone of the
input skb to hold references to the memory it uses. If we fail to
allocate that clone, proceeding with async decryption can lead to
various issues (UAF on the skb, writing into userspace memory after
the recv() call has returned).
In this case, wait for all pending decryption requests.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 9f83fd0c179e0f458e824e417f9d5ad53443f685
(git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < c61d4368197d65c4809d9271f3b85325a600586a (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 39dec4ea3daf77f684308576baf483b55ca7f160 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 4fc109d0ab196bd943b7451276690fb6bb48c2e0 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < b8a6ff84abbcbbc445463de58704686011edc8e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f83fd0c179e0f458e824e417f9d5ad53443f685",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "c61d4368197d65c4809d9271f3b85325a600586a",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "39dec4ea3daf77f684308576baf483b55ca7f160",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "4fc109d0ab196bd943b7451276690fb6bb48c2e0",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: wait for pending async decryptions if tls_strp_msg_hold fails\n\nAsync decryption calls tls_strp_msg_hold to create a clone of the\ninput skb to hold references to the memory it uses. If we fail to\nallocate that clone, proceeding with async decryption can lead to\nvarious issues (UAF on the skb, writing into userspace memory after\nthe recv() call has returned).\n\nIn this case, wait for all pending decryption requests."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:32.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f83fd0c179e0f458e824e417f9d5ad53443f685"
},
{
"url": "https://git.kernel.org/stable/c/c61d4368197d65c4809d9271f3b85325a600586a"
},
{
"url": "https://git.kernel.org/stable/c/39dec4ea3daf77f684308576baf483b55ca7f160"
},
{
"url": "https://git.kernel.org/stable/c/4fc109d0ab196bd943b7451276690fb6bb48c2e0"
},
{
"url": "https://git.kernel.org/stable/c/b8a6ff84abbcbbc445463de58704686011edc8e1"
}
],
"title": "tls: wait for pending async decryptions if tls_strp_msg_hold fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40176",
"datePublished": "2025-11-12T10:53:50.443Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:32.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39905 (GCVE-0-2025-39905)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:44 – Updated: 2026-01-14 19:33
VLAI?
EPSS
Title
net: phylink: add lock for serializing concurrent pl->phydev writes with resolver
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phylink: add lock for serializing concurrent pl->phydev writes with resolver
Currently phylink_resolve() protects itself against concurrent
phylink_bringup_phy() or phylink_disconnect_phy() calls which modify
pl->phydev by relying on pl->state_mutex.
The problem is that in phylink_resolve(), pl->state_mutex is in a lock
inversion state with pl->phydev->lock. So pl->phydev->lock needs to be
acquired prior to pl->state_mutex. But that requires dereferencing
pl->phydev in the first place, and without pl->state_mutex, that is
racy.
Hence the reason for the extra lock. Currently it is redundant, but it
will serve a functional purpose once mutex_lock(&phy->lock) will be
moved outside of the mutex_lock(&pl->state_mutex) section.
Another alternative considered would have been to let phylink_resolve()
acquire the rtnl_mutex, which is also held when phylink_bringup_phy()
and phylink_disconnect_phy() are called. But since phylink_disconnect_phy()
runs under rtnl_lock(), it would deadlock with phylink_resolve() when
calling flush_work(&pl->resolve). Additionally, it would have been
undesirable because it would have unnecessarily blocked many other call
paths as well in the entire kernel, so the smaller-scoped lock was
preferred.
Severity ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:30:27.795933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:14.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56fe63b05ec84ae6674269d78397cec43a7a295a",
"status": "affected",
"version": "5fd0f1a02e750e2db4038dee60edea669ce5aab1",
"versionType": "git"
},
{
"lessThan": "0ba5b2f2c381dbec9ed9e4ab3ae5d3e667de0dc3",
"status": "affected",
"version": "5fd0f1a02e750e2db4038dee60edea669ce5aab1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phylink: add lock for serializing concurrent pl-\u003ephydev writes with resolver\n\nCurrently phylink_resolve() protects itself against concurrent\nphylink_bringup_phy() or phylink_disconnect_phy() calls which modify\npl-\u003ephydev by relying on pl-\u003estate_mutex.\n\nThe problem is that in phylink_resolve(), pl-\u003estate_mutex is in a lock\ninversion state with pl-\u003ephydev-\u003elock. So pl-\u003ephydev-\u003elock needs to be\nacquired prior to pl-\u003estate_mutex. But that requires dereferencing\npl-\u003ephydev in the first place, and without pl-\u003estate_mutex, that is\nracy.\n\nHence the reason for the extra lock. Currently it is redundant, but it\nwill serve a functional purpose once mutex_lock(\u0026phy-\u003elock) will be\nmoved outside of the mutex_lock(\u0026pl-\u003estate_mutex) section.\n\nAnother alternative considered would have been to let phylink_resolve()\nacquire the rtnl_mutex, which is also held when phylink_bringup_phy()\nand phylink_disconnect_phy() are called. But since phylink_disconnect_phy()\nruns under rtnl_lock(), it would deadlock with phylink_resolve() when\ncalling flush_work(\u0026pl-\u003eresolve). Additionally, it would have been\nundesirable because it would have unnecessarily blocked many other call\npaths as well in the entire kernel, so the smaller-scoped lock was\npreferred."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:40.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56fe63b05ec84ae6674269d78397cec43a7a295a"
},
{
"url": "https://git.kernel.org/stable/c/0ba5b2f2c381dbec9ed9e4ab3ae5d3e667de0dc3"
}
],
"title": "net: phylink: add lock for serializing concurrent pl-\u003ephydev writes with resolver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39905",
"datePublished": "2025-10-01T07:44:28.758Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2026-01-14T19:33:14.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53581 (GCVE-0-2023-53581)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:43 – Updated: 2025-10-04 15:43
VLAI?
EPSS
Title
net/mlx5e: Check for NOT_READY flag state after locking
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Check for NOT_READY flag state after locking
Currently the check for NOT_READY flag is performed before obtaining the
necessary lock. This opens a possibility for race condition when the flow
is concurrently removed from unready_flows list by the workqueue task,
which causes a double-removal from the list and a crash[0]. Fix the issue
by moving the flag check inside the section protected by
uplink_priv->unready_flows_lock mutex.
[0]:
[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP
[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1
[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]
[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06
[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246
[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00
[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0
[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001
[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000
[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000
[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000
[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0
[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[44376.406339] Call Trace:
[44376.406651] <TASK>
[44376.406939] ? die_addr+0x33/0x90
[44376.407311] ? exc_general_protection+0x192/0x390
[44376.407795] ? asm_exc_general_protection+0x22/0x30
[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]
[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core]
[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core]
[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core]
[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core]
[44376.411043] tc_setup_cb_reoffload+0x22/0x80
[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower]
[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]
[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]
[44376.413044] tcf_block_playback_offloads+0x76/0x170
[44376.413497] tcf_block_unbind+0x7b/0xd0
[44376.413881] tcf_block_setup+0x17d/0x1c0
[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130
[44376.414725] tcf_block_offload_unbind+0x43/0x70
[44376.415153] __tcf_block_put+0x82/0x150
[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress]
[44376.415986] qdisc_destroy+0x3b/0xd0
[44376.416343] qdisc_graft+0x4d0/0x620
[44376.416706] tc_get_qdisc+0x1c9/0x3b0
[44376.417074] rtnetlink_rcv_msg+0x29c/0x390
[44376.419978] ? rep_movs_alternative+0x3a/0xa0
[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120
[44376.420813] netlink_rcv_skb+0x54/0x100
[44376.421192] netlink_unicast+0x1f6/0x2c0
[44376.421573] netlink_sendmsg+0x232/0x4a0
[44376.421980] sock_sendmsg+0x38/0x60
[44376.422328] ____sys_sendmsg+0x1d0/0x1e0
[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0
[44376.423127] ___sys_sendmsg+0x80/0xc0
[44376.423495] ? ___sys_recvmsg+0x8b/0xc0
[44376.423869] __sys_sendmsg+0x51/0x90
[44376.424226] do_syscall_64+0x3d/0x90
[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[44376.425046] RIP: 0033:0x7f045134f887
[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ad86755b18d5edf1956f6d25c844f27289216877 , < 30c281a77fb1b2d362030ea243dd663201d62a21
(git)
Affected: ad86755b18d5edf1956f6d25c844f27289216877 , < 82ac62d76a000871004f534ad294e763e966d3b0 (git) Affected: ad86755b18d5edf1956f6d25c844f27289216877 , < e962fd5933ebc767ce2a1cf7b7c85035b5a5d04c (git) Affected: ad86755b18d5edf1956f6d25c844f27289216877 , < f7ceedd1d124217a67ed1a67bbd7a7b1288705e3 (git) Affected: ad86755b18d5edf1956f6d25c844f27289216877 , < 65e64640e97c0f223e77f9ea69b5a46186b93470 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30c281a77fb1b2d362030ea243dd663201d62a21",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
},
{
"lessThan": "82ac62d76a000871004f534ad294e763e966d3b0",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
},
{
"lessThan": "e962fd5933ebc767ce2a1cf7b7c85035b5a5d04c",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
},
{
"lessThan": "f7ceedd1d124217a67ed1a67bbd7a7b1288705e3",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
},
{
"lessThan": "65e64640e97c0f223e77f9ea69b5a46186b93470",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Check for NOT_READY flag state after locking\n\nCurrently the check for NOT_READY flag is performed before obtaining the\nnecessary lock. This opens a possibility for race condition when the flow\nis concurrently removed from unready_flows list by the workqueue task,\nwhich causes a double-removal from the list and a crash[0]. Fix the issue\nby moving the flag check inside the section protected by\nuplink_priv-\u003eunready_flows_lock mutex.\n\n[0]:\n[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP\n[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1\n[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]\n[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 \u003c48\u003e 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06\n[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246\n[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00\n[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0\n[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001\n[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000\n[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000\n[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000\n[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0\n[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[44376.406339] Call Trace:\n[44376.406651] \u003cTASK\u003e\n[44376.406939] ? die_addr+0x33/0x90\n[44376.407311] ? exc_general_protection+0x192/0x390\n[44376.407795] ? asm_exc_general_protection+0x22/0x30\n[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]\n[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core]\n[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core]\n[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core]\n[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core]\n[44376.411043] tc_setup_cb_reoffload+0x22/0x80\n[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower]\n[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]\n[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]\n[44376.413044] tcf_block_playback_offloads+0x76/0x170\n[44376.413497] tcf_block_unbind+0x7b/0xd0\n[44376.413881] tcf_block_setup+0x17d/0x1c0\n[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130\n[44376.414725] tcf_block_offload_unbind+0x43/0x70\n[44376.415153] __tcf_block_put+0x82/0x150\n[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress]\n[44376.415986] qdisc_destroy+0x3b/0xd0\n[44376.416343] qdisc_graft+0x4d0/0x620\n[44376.416706] tc_get_qdisc+0x1c9/0x3b0\n[44376.417074] rtnetlink_rcv_msg+0x29c/0x390\n[44376.419978] ? rep_movs_alternative+0x3a/0xa0\n[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120\n[44376.420813] netlink_rcv_skb+0x54/0x100\n[44376.421192] netlink_unicast+0x1f6/0x2c0\n[44376.421573] netlink_sendmsg+0x232/0x4a0\n[44376.421980] sock_sendmsg+0x38/0x60\n[44376.422328] ____sys_sendmsg+0x1d0/0x1e0\n[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0\n[44376.423127] ___sys_sendmsg+0x80/0xc0\n[44376.423495] ? ___sys_recvmsg+0x8b/0xc0\n[44376.423869] __sys_sendmsg+0x51/0x90\n[44376.424226] do_syscall_64+0x3d/0x90\n[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[44376.425046] RIP: 0033:0x7f045134f887\n[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:57.758Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30c281a77fb1b2d362030ea243dd663201d62a21"
},
{
"url": "https://git.kernel.org/stable/c/82ac62d76a000871004f534ad294e763e966d3b0"
},
{
"url": "https://git.kernel.org/stable/c/e962fd5933ebc767ce2a1cf7b7c85035b5a5d04c"
},
{
"url": "https://git.kernel.org/stable/c/f7ceedd1d124217a67ed1a67bbd7a7b1288705e3"
},
{
"url": "https://git.kernel.org/stable/c/65e64640e97c0f223e77f9ea69b5a46186b93470"
}
],
"title": "net/mlx5e: Check for NOT_READY flag state after locking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53581",
"datePublished": "2025-10-04T15:43:57.758Z",
"dateReserved": "2025-10-04T15:14:15.926Z",
"dateUpdated": "2025-10-04T15:43:57.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23142 (GCVE-0-2025-23142)
Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-11-03 19:42
VLAI?
EPSS
Title
sctp: detect and prevent references to a freed transport in sendmsg
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: detect and prevent references to a freed transport in sendmsg
sctp_sendmsg() re-uses associations and transports when possible by
doing a lookup based on the socket endpoint and the message destination
address, and then sctp_sendmsg_to_asoc() sets the selected transport in
all the message chunks to be sent.
There's a possible race condition if another thread triggers the removal
of that selected transport, for instance, by explicitly unbinding an
address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have
been set up and before the message is sent. This can happen if the send
buffer is full, during the period when the sender thread temporarily
releases the socket lock in sctp_wait_for_sndbuf().
This causes the access to the transport data in
sctp_outq_select_transport(), when the association outqueue is flushed,
to result in a use-after-free read.
This change avoids this scenario by having sctp_transport_free() signal
the freeing of the transport, tagging it as "dead". In order to do this,
the patch restores the "dead" bit in struct sctp_transport, which was
removed in
commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").
Then, in the scenario where the sender thread has released the socket
lock in sctp_wait_for_sndbuf(), the bit is checked again after
re-acquiring the socket lock to detect the deletion. This is done while
holding a reference to the transport to prevent it from being freed in
the process.
If the transport was deleted while the socket lock was relinquished,
sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the
send.
The bug was found by a private syzbot instance (see the error report [1]
and the C reproducer that triggers it [2]).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
df132eff463873e14e019a07f387b4d577d6d1f9 , < 547762250220325d350d0917a7231480e0f4142b
(git)
Affected: df132eff463873e14e019a07f387b4d577d6d1f9 , < 3257386be6a7eb8a8bfc9cbfb746df4eb4fc70e8 (git) Affected: df132eff463873e14e019a07f387b4d577d6d1f9 , < 0f7df4899299ce4662e5f95badb9dbc57cc37fa5 (git) Affected: df132eff463873e14e019a07f387b4d577d6d1f9 , < 7a63f4fb0efb4e69efd990cbb740a848679ec4b0 (git) Affected: df132eff463873e14e019a07f387b4d577d6d1f9 , < c6fefcb71d246baaf3bacdad1af7ff50ebcfe652 (git) Affected: df132eff463873e14e019a07f387b4d577d6d1f9 , < 9e7c37fadb3be1fc33073fcf10aa96d166caa697 (git) Affected: df132eff463873e14e019a07f387b4d577d6d1f9 , < 5bc83bdf5f5b8010d1ca5a4555537e62413ab4e2 (git) Affected: df132eff463873e14e019a07f387b4d577d6d1f9 , < 2e5068b7e0ae0a54f6cfd03a2f80977da657f1ee (git) Affected: df132eff463873e14e019a07f387b4d577d6d1f9 , < f1a69a940de58b16e8249dff26f74c8cc59b32be (git) Affected: 26e51e5287eed4d96ea66a3da95429f42940f013 (git) Affected: 8b97e045bd6d37f96f161e4d371ae174148e1587 (git) Affected: e044554e97e812eb257d073bcc130e0ea653858f (git) Affected: 8376fdc999be008f0e9918db52f1ed8c08f5a1c9 (git) Affected: cd947138e8c31e8cfcd489c12e9b97271beb6e79 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:42:29.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sctp/structs.h",
"net/sctp/socket.c",
"net/sctp/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "547762250220325d350d0917a7231480e0f4142b",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"lessThan": "3257386be6a7eb8a8bfc9cbfb746df4eb4fc70e8",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"lessThan": "0f7df4899299ce4662e5f95badb9dbc57cc37fa5",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"lessThan": "7a63f4fb0efb4e69efd990cbb740a848679ec4b0",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"lessThan": "c6fefcb71d246baaf3bacdad1af7ff50ebcfe652",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"lessThan": "9e7c37fadb3be1fc33073fcf10aa96d166caa697",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"lessThan": "5bc83bdf5f5b8010d1ca5a4555537e62413ab4e2",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"lessThan": "2e5068b7e0ae0a54f6cfd03a2f80977da657f1ee",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"lessThan": "f1a69a940de58b16e8249dff26f74c8cc59b32be",
"status": "affected",
"version": "df132eff463873e14e019a07f387b4d577d6d1f9",
"versionType": "git"
},
{
"status": "affected",
"version": "26e51e5287eed4d96ea66a3da95429f42940f013",
"versionType": "git"
},
{
"status": "affected",
"version": "8b97e045bd6d37f96f161e4d371ae174148e1587",
"versionType": "git"
},
{
"status": "affected",
"version": "e044554e97e812eb257d073bcc130e0ea653858f",
"versionType": "git"
},
{
"status": "affected",
"version": "8376fdc999be008f0e9918db52f1ed8c08f5a1c9",
"versionType": "git"
},
{
"status": "affected",
"version": "cd947138e8c31e8cfcd489c12e9b97271beb6e79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sctp/structs.h",
"net/sctp/socket.c",
"net/sctp/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: detect and prevent references to a freed transport in sendmsg\n\nsctp_sendmsg() re-uses associations and transports when possible by\ndoing a lookup based on the socket endpoint and the message destination\naddress, and then sctp_sendmsg_to_asoc() sets the selected transport in\nall the message chunks to be sent.\n\nThere\u0027s a possible race condition if another thread triggers the removal\nof that selected transport, for instance, by explicitly unbinding an\naddress with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have\nbeen set up and before the message is sent. This can happen if the send\nbuffer is full, during the period when the sender thread temporarily\nreleases the socket lock in sctp_wait_for_sndbuf().\n\nThis causes the access to the transport data in\nsctp_outq_select_transport(), when the association outqueue is flushed,\nto result in a use-after-free read.\n\nThis change avoids this scenario by having sctp_transport_free() signal\nthe freeing of the transport, tagging it as \"dead\". In order to do this,\nthe patch restores the \"dead\" bit in struct sctp_transport, which was\nremoved in\ncommit 47faa1e4c50e (\"sctp: remove the dead field of sctp_transport\").\n\nThen, in the scenario where the sender thread has released the socket\nlock in sctp_wait_for_sndbuf(), the bit is checked again after\nre-acquiring the socket lock to detect the deletion. This is done while\nholding a reference to the transport to prevent it from being freed in\nthe process.\n\nIf the transport was deleted while the socket lock was relinquished,\nsctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the\nsend.\n\nThe bug was found by a private syzbot instance (see the error report [1]\nand the C reproducer that triggers it [2])."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T05:19:21.452Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/547762250220325d350d0917a7231480e0f4142b"
},
{
"url": "https://git.kernel.org/stable/c/3257386be6a7eb8a8bfc9cbfb746df4eb4fc70e8"
},
{
"url": "https://git.kernel.org/stable/c/0f7df4899299ce4662e5f95badb9dbc57cc37fa5"
},
{
"url": "https://git.kernel.org/stable/c/7a63f4fb0efb4e69efd990cbb740a848679ec4b0"
},
{
"url": "https://git.kernel.org/stable/c/c6fefcb71d246baaf3bacdad1af7ff50ebcfe652"
},
{
"url": "https://git.kernel.org/stable/c/9e7c37fadb3be1fc33073fcf10aa96d166caa697"
},
{
"url": "https://git.kernel.org/stable/c/5bc83bdf5f5b8010d1ca5a4555537e62413ab4e2"
},
{
"url": "https://git.kernel.org/stable/c/2e5068b7e0ae0a54f6cfd03a2f80977da657f1ee"
},
{
"url": "https://git.kernel.org/stable/c/f1a69a940de58b16e8249dff26f74c8cc59b32be"
}
],
"title": "sctp: detect and prevent references to a freed transport in sendmsg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23142",
"datePublished": "2025-05-01T12:55:32.614Z",
"dateReserved": "2025-01-11T14:28:41.512Z",
"dateUpdated": "2025-11-03T19:42:29.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53675 (GCVE-0-2023-53675)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2026-01-05 10:21
VLAI?
EPSS
Title
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
Sanitize possible desc_ptr out-of-bounds accesses in
ses_enclosure_data_process().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9927c68864e9c39cc317b4f559309ba29e642168 , < 72021ae61a2bc6ca73cd593e255a10ed5f5dc5e7
(git)
Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < cffe09ca0555e235a42d6fa065e463c4b3d5b657 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 79ec5dd5fb07ecaea2f978c2d7a9f2f3526e4d19 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < c315560e3ef77c1d822249f1743e647dc9c9912a (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 584892fd29a41ef424a148118a3103b16b94fb8c (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 414418abc19fa4ccf730d273061a426c07a061d6 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 4b8cae410472653a59e15af62c57c49b8e0a1201 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 801ab13d50cf3d26170ee073ea8bb4eececb76ab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72021ae61a2bc6ca73cd593e255a10ed5f5dc5e7",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "cffe09ca0555e235a42d6fa065e463c4b3d5b657",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "79ec5dd5fb07ecaea2f978c2d7a9f2f3526e4d19",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "c315560e3ef77c1d822249f1743e647dc9c9912a",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "584892fd29a41ef424a148118a3103b16b94fb8c",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "414418abc19fa4ccf730d273061a426c07a061d6",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "4b8cae410472653a59e15af62c57c49b8e0a1201",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "801ab13d50cf3d26170ee073ea8bb4eececb76ab",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix possible desc_ptr out-of-bounds accesses\n\nSanitize possible desc_ptr out-of-bounds accesses in\nses_enclosure_data_process()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:21:48.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72021ae61a2bc6ca73cd593e255a10ed5f5dc5e7"
},
{
"url": "https://git.kernel.org/stable/c/cffe09ca0555e235a42d6fa065e463c4b3d5b657"
},
{
"url": "https://git.kernel.org/stable/c/79ec5dd5fb07ecaea2f978c2d7a9f2f3526e4d19"
},
{
"url": "https://git.kernel.org/stable/c/c315560e3ef77c1d822249f1743e647dc9c9912a"
},
{
"url": "https://git.kernel.org/stable/c/584892fd29a41ef424a148118a3103b16b94fb8c"
},
{
"url": "https://git.kernel.org/stable/c/414418abc19fa4ccf730d273061a426c07a061d6"
},
{
"url": "https://git.kernel.org/stable/c/4b8cae410472653a59e15af62c57c49b8e0a1201"
},
{
"url": "https://git.kernel.org/stable/c/801ab13d50cf3d26170ee073ea8bb4eececb76ab"
}
],
"title": "scsi: ses: Fix possible desc_ptr out-of-bounds accesses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53675",
"datePublished": "2025-10-07T15:21:31.018Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2026-01-05T10:21:48.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53539 (GCVE-0-2023-53539)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:16 – Updated: 2025-10-04 15:16
VLAI?
EPSS
Title
RDMA/rxe: Fix incomplete state save in rxe_requester
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix incomplete state save in rxe_requester
If a send packet is dropped by the IP layer in rxe_requester()
the call to rxe_xmit_packet() can fail with err == -EAGAIN.
To recover, the state of the wqe is restored to the state before
the packet was sent so it can be resent. However, the routines
that save and restore the state miss a significnt part of the
variable state in the wqe, the dma struct which is used to process
through the sge table. And, the state is not saved before the packet
is built which modifies the dma struct.
Under heavy stress testing with many QPs on a fast node sending
large messages to a slow node dropped packets are observed and
the resent packets are corrupted because the dma struct was not
restored. This patch fixes this behavior and allows the test cases
to succeed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3050b99850247695cb07a5c15265afcc08bcf400 , < 70518f3aaf5a059b691867d7d2d46b999319656a
(git)
Affected: 3050b99850247695cb07a5c15265afcc08bcf400 , < 2f2a6422287fe29f9343247d77b645100ece0652 (git) Affected: 3050b99850247695cb07a5c15265afcc08bcf400 , < 255c0e60e1d16874fc151358d94bc8df661600dd (git) Affected: 3050b99850247695cb07a5c15265afcc08bcf400 , < 5d122db2ff80cd2aed4dcd630befb56b51ddf947 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_req.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70518f3aaf5a059b691867d7d2d46b999319656a",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "2f2a6422287fe29f9343247d77b645100ece0652",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "255c0e60e1d16874fc151358d94bc8df661600dd",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "5d122db2ff80cd2aed4dcd630befb56b51ddf947",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_req.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix incomplete state save in rxe_requester\n\nIf a send packet is dropped by the IP layer in rxe_requester()\nthe call to rxe_xmit_packet() can fail with err == -EAGAIN.\nTo recover, the state of the wqe is restored to the state before\nthe packet was sent so it can be resent. However, the routines\nthat save and restore the state miss a significnt part of the\nvariable state in the wqe, the dma struct which is used to process\nthrough the sge table. And, the state is not saved before the packet\nis built which modifies the dma struct.\n\nUnder heavy stress testing with many QPs on a fast node sending\nlarge messages to a slow node dropped packets are observed and\nthe resent packets are corrupted because the dma struct was not\nrestored. This patch fixes this behavior and allows the test cases\nto succeed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:49.379Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70518f3aaf5a059b691867d7d2d46b999319656a"
},
{
"url": "https://git.kernel.org/stable/c/2f2a6422287fe29f9343247d77b645100ece0652"
},
{
"url": "https://git.kernel.org/stable/c/255c0e60e1d16874fc151358d94bc8df661600dd"
},
{
"url": "https://git.kernel.org/stable/c/5d122db2ff80cd2aed4dcd630befb56b51ddf947"
}
],
"title": "RDMA/rxe: Fix incomplete state save in rxe_requester",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53539",
"datePublished": "2025-10-04T15:16:49.379Z",
"dateReserved": "2025-10-04T15:14:15.919Z",
"dateUpdated": "2025-10-04T15:16:49.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39817 (GCVE-0-2025-39817)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
Summary
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
Observed on kernel 6.6 (present on master as well):
BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0
Call trace:
kasan_check_range+0xe8/0x190
__asan_loadN+0x1c/0x28
memcmp+0x98/0xd0
efivarfs_d_compare+0x68/0xd8
__d_lookup_rcu_op_compare+0x178/0x218
__d_lookup_rcu+0x1f8/0x228
d_alloc_parallel+0x150/0x648
lookup_open.isra.0+0x5f0/0x8d0
open_last_lookups+0x264/0x828
path_openat+0x130/0x3f8
do_filp_open+0x114/0x248
do_sys_openat2+0x340/0x3c0
__arm64_sys_openat+0x120/0x1a0
If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become
negative, leadings to oob. The issue can be triggered by parallel
lookups using invalid filename:
T1 T2
lookup_open
->lookup
simple_lookup
d_add
// invalid dentry is added to hash list
lookup_open
d_alloc_parallel
__d_lookup_rcu
__d_lookup_rcu_op_compare
hlist_bl_for_each_entry_rcu
// invalid dentry can be retrieved
->d_compare
efivarfs_d_compare
// oob
Fix it by checking 'guid' before cmp.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6
(git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 794399019301944fd6d2e0d7a51b3327e26c410e (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 568e7761279b99c6daa3002290fd6d8047ddb6d2 (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7 (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 925599eba46045930b850a98ae594d2e3028ac40 (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < c2925cd6207079c3f4d040d082515db78d63afbf (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 71581a82f38e5a4d807d71fc1bb59aead80ccf95 (git) Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < a6358f8cf64850f3f27857b8ed8c1b08cfc4685c (git) Affected: 688289c4b745c018b3449b4b4c5a2030083c8eaf (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:40.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "794399019301944fd6d2e0d7a51b3327e26c410e",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "568e7761279b99c6daa3002290fd6d8047ddb6d2",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "925599eba46045930b850a98ae594d2e3028ac40",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "c2925cd6207079c3f4d040d082515db78d63afbf",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "71581a82f38e5a4d807d71fc1bb59aead80ccf95",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "a6358f8cf64850f3f27857b8ed8c1b08cfc4685c",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"status": "affected",
"version": "688289c4b745c018b3449b4b4c5a2030083c8eaf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\n\nObserved on kernel 6.6 (present on master as well):\n\n BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0\n Call trace:\n kasan_check_range+0xe8/0x190\n __asan_loadN+0x1c/0x28\n memcmp+0x98/0xd0\n efivarfs_d_compare+0x68/0xd8\n __d_lookup_rcu_op_compare+0x178/0x218\n __d_lookup_rcu+0x1f8/0x228\n d_alloc_parallel+0x150/0x648\n lookup_open.isra.0+0x5f0/0x8d0\n open_last_lookups+0x264/0x828\n path_openat+0x130/0x3f8\n do_filp_open+0x114/0x248\n do_sys_openat2+0x340/0x3c0\n __arm64_sys_openat+0x120/0x1a0\n\nIf dentry-\u003ed_name.len \u003c EFI_VARIABLE_GUID_LEN , \u0027guid\u0027 can become\nnegative, leadings to oob. The issue can be triggered by parallel\nlookups using invalid filename:\n\n T1\t\t\tT2\n lookup_open\n -\u003elookup\n simple_lookup\n d_add\n // invalid dentry is added to hash list\n\n\t\t\tlookup_open\n\t\t\t d_alloc_parallel\n\t\t\t __d_lookup_rcu\n\t\t\t __d_lookup_rcu_op_compare\n\t\t\t hlist_bl_for_each_entry_rcu\n\t\t\t // invalid dentry can be retrieved\n\t\t\t -\u003ed_compare\n\t\t\t efivarfs_d_compare\n\t\t\t // oob\n\nFix it by checking \u0027guid\u0027 before cmp."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:15.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6"
},
{
"url": "https://git.kernel.org/stable/c/794399019301944fd6d2e0d7a51b3327e26c410e"
},
{
"url": "https://git.kernel.org/stable/c/568e7761279b99c6daa3002290fd6d8047ddb6d2"
},
{
"url": "https://git.kernel.org/stable/c/d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7"
},
{
"url": "https://git.kernel.org/stable/c/925599eba46045930b850a98ae594d2e3028ac40"
},
{
"url": "https://git.kernel.org/stable/c/c2925cd6207079c3f4d040d082515db78d63afbf"
},
{
"url": "https://git.kernel.org/stable/c/71581a82f38e5a4d807d71fc1bb59aead80ccf95"
},
{
"url": "https://git.kernel.org/stable/c/a6358f8cf64850f3f27857b8ed8c1b08cfc4685c"
}
],
"title": "efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39817",
"datePublished": "2025-09-16T13:00:17.776Z",
"dateReserved": "2025-04-16T07:20:57.138Z",
"dateUpdated": "2025-11-03T17:43:40.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39983 (GCVE-0-2025-39983)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
This fixes the following UAF caused by not properly locking hdev when
processing HCI_EV_NUM_COMP_PKTS:
BUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036
Read of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54
CPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci1 hci_rx_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036
hci_num_comp_pkts_evt+0x1c8/0xa50 net/bluetooth/hci_event.c:4404
hci_event_func net/bluetooth/hci_event.c:7477 [inline]
hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 54:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
__hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939
le_conn_complete_evt+0x3d6/0x1220 net/bluetooth/hci_event.c:5628
hci_le_enh_conn_complete_evt+0x189/0x470 net/bluetooth/hci_event.c:5794
hci_event_func net/bluetooth/hci_event.c:7474 [inline]
hci_event_packet+0x78c/0x1200 net/bluetooth/hci_event.c:7531
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
Freed by task 9572:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x18e/0x440 mm/slub.c:4842
device_release+0x9c/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x22b/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173
hci_abort_conn_sync+0x5d1/0xdf0 net/bluetooth/hci_sync.c:5689
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dde33124f17cf3bab4dc5e18d1b4dee128361061",
"status": "affected",
"version": "134f4b39df7b77225a80ef585c15d46f964f5e6f",
"versionType": "git"
},
{
"lessThan": "2e128683176a56459cef8705fc7c35f438f88abd",
"status": "affected",
"version": "134f4b39df7b77225a80ef585c15d46f964f5e6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue\n\nThis fixes the following UAF caused by not properly locking hdev when\nprocessing HCI_EV_NUM_COMP_PKTS:\n\nBUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036\nRead of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54\n\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci1 hci_rx_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x230 mm/kasan/report.c:480\n kasan_report+0x118/0x150 mm/kasan/report.c:593\n hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036\n hci_num_comp_pkts_evt+0x1c8/0xa50 net/bluetooth/hci_event.c:4404\n hci_event_func net/bluetooth/hci_event.c:7477 [inline]\n hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531\n hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 54:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939\n le_conn_complete_evt+0x3d6/0x1220 net/bluetooth/hci_event.c:5628\n hci_le_enh_conn_complete_evt+0x189/0x470 net/bluetooth/hci_event.c:5794\n hci_event_func net/bluetooth/hci_event.c:7474 [inline]\n hci_event_packet+0x78c/0x1200 net/bluetooth/hci_event.c:7531\n hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n\nFreed by task 9572:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4643 [inline]\n kfree+0x18e/0x440 mm/slub.c:4842\n device_release+0x9c/0x1c0\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x22b/0x480 lib/kobject.c:737\n hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]\n hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173\n hci_abort_conn_sync+0x5d1/0xdf0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:02.752Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dde33124f17cf3bab4dc5e18d1b4dee128361061"
},
{
"url": "https://git.kernel.org/stable/c/2e128683176a56459cef8705fc7c35f438f88abd"
}
],
"title": "Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39983",
"datePublished": "2025-10-15T07:56:02.752Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:02.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39966 (GCVE-0-2025-39966)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
iommufd: Fix race during abort for file descriptors
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Fix race during abort for file descriptors
fput() doesn't actually call file_operations release() synchronously, it
puts the file on a work queue and it will be released eventually.
This is normally fine, except for iommufd the file and the iommufd_object
are tied to gether. The file has the object as it's private_data and holds
a users refcount, while the object is expected to remain alive as long as
the file is.
When the allocation of a new object aborts before installing the file it
will fput() the file and then go on to immediately kfree() the obj. This
causes a UAF once the workqueue completes the fput() and tries to
decrement the users refcount.
Fix this by putting the core code in charge of the file lifetime, and call
__fput_sync() during abort to ensure that release() is called before
kfree. __fput_sync() is a bit too tricky to open code in all the object
implementations. Instead the objects tell the core code where the file
pointer is and the core will take care of the life cycle.
If the object is successfully allocated then the file will hold a users
refcount and the iommufd_object cannot be destroyed.
It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn't have an
issue because close() is already using a synchronous version of fput().
The UAF looks like this:
BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376
Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164
CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]
__refcount_dec include/linux/refcount.h:455 [inline]
refcount_dec include/linux/refcount.h:476 [inline]
iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
07838f7fd529c8a6de44b601d4b7057e6c8d36ed , < 17195a7d754a5c6a31888702ca93f6f08f3383ad
(git)
Affected: 07838f7fd529c8a6de44b601d4b7057e6c8d36ed , < e4825368285e33d6360c6c6a6a10d2d83da06e55 (git) Affected: 07838f7fd529c8a6de44b601d4b7057e6c8d36ed , < 4e034bf045b12852a24d5d33f2451850818ba0c1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/eventq.c",
"drivers/iommu/iommufd/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17195a7d754a5c6a31888702ca93f6f08f3383ad",
"status": "affected",
"version": "07838f7fd529c8a6de44b601d4b7057e6c8d36ed",
"versionType": "git"
},
{
"lessThan": "e4825368285e33d6360c6c6a6a10d2d83da06e55",
"status": "affected",
"version": "07838f7fd529c8a6de44b601d4b7057e6c8d36ed",
"versionType": "git"
},
{
"lessThan": "4e034bf045b12852a24d5d33f2451850818ba0c1",
"status": "affected",
"version": "07838f7fd529c8a6de44b601d4b7057e6c8d36ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/eventq.c",
"drivers/iommu/iommufd/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix race during abort for file descriptors\n\nfput() doesn\u0027t actually call file_operations release() synchronously, it\nputs the file on a work queue and it will be released eventually.\n\nThis is normally fine, except for iommufd the file and the iommufd_object\nare tied to gether. The file has the object as it\u0027s private_data and holds\na users refcount, while the object is expected to remain alive as long as\nthe file is.\n\nWhen the allocation of a new object aborts before installing the file it\nwill fput() the file and then go on to immediately kfree() the obj. This\ncauses a UAF once the workqueue completes the fput() and tries to\ndecrement the users refcount.\n\nFix this by putting the core code in charge of the file lifetime, and call\n__fput_sync() during abort to ensure that release() is called before\nkfree. __fput_sync() is a bit too tricky to open code in all the object\nimplementations. Instead the objects tell the core code where the file\npointer is and the core will take care of the life cycle.\n\nIf the object is successfully allocated then the file will hold a users\nrefcount and the iommufd_object cannot be destroyed.\n\nIt is worth noting that close(); ioctl(IOMMU_DESTROY); doesn\u0027t have an\nissue because close() is already using a synchronous version of fput().\n\nThe UAF looks like this:\n\n BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\n Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164\n\n CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]\n __refcount_dec include/linux/refcount.h:455 [inline]\n refcount_dec include/linux/refcount.h:476 [inline]\n iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\n __fput+0x402/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:50.843Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17195a7d754a5c6a31888702ca93f6f08f3383ad"
},
{
"url": "https://git.kernel.org/stable/c/e4825368285e33d6360c6c6a6a10d2d83da06e55"
},
{
"url": "https://git.kernel.org/stable/c/4e034bf045b12852a24d5d33f2451850818ba0c1"
}
],
"title": "iommufd: Fix race during abort for file descriptors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39966",
"datePublished": "2025-10-15T07:55:50.843Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:50.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53705 (GCVE-0-2023-53705)
Vulnerability from cvelistv5 – Published: 2025-10-22 13:23 – Updated: 2025-10-22 13:23
VLAI?
EPSS
Title
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
optlen is fetched without checking whether there is more than one byte to parse.
It can lead to out-of-bounds access.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c61a404325093250b676f40ad8f4dd00f3bcab5f , < 59e656d0d4a84ea0ee9a39c6f69160a3effccc94
(git)
Affected: c61a404325093250b676f40ad8f4dd00f3bcab5f , < 04bf69e3de435d793a203aacc4b774f8f9f2baeb (git) Affected: c61a404325093250b676f40ad8f4dd00f3bcab5f , < 011f47c8b8389154f996f5f69da8efc3a3beefef (git) Affected: c61a404325093250b676f40ad8f4dd00f3bcab5f , < e5f82688ae10f5f386952e65e941bb8868ee54dc (git) Affected: c61a404325093250b676f40ad8f4dd00f3bcab5f , < 9b92e2d0eb696d7586ba832c8854653b59887da0 (git) Affected: c61a404325093250b676f40ad8f4dd00f3bcab5f , < 91dd8aab9c9f193210681b86b6b92840ffe74f0c (git) Affected: c61a404325093250b676f40ad8f4dd00f3bcab5f , < ae68c0f7edbc9a294094ce03a0aaf45aa489ce40 (git) Affected: c61a404325093250b676f40ad8f4dd00f3bcab5f , < 878ecb0897f4737a4c9401f3523fd49589025671 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59e656d0d4a84ea0ee9a39c6f69160a3effccc94",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "04bf69e3de435d793a203aacc4b774f8f9f2baeb",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "011f47c8b8389154f996f5f69da8efc3a3beefef",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "e5f82688ae10f5f386952e65e941bb8868ee54dc",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "9b92e2d0eb696d7586ba832c8854653b59887da0",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "91dd8aab9c9f193210681b86b6b92840ffe74f0c",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "ae68c0f7edbc9a294094ce03a0aaf45aa489ce40",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "878ecb0897f4737a4c9401f3523fd49589025671",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix out-of-bounds access in ipv6_find_tlv()\n\noptlen is fetched without checking whether there is more than one byte to parse.\nIt can lead to out-of-bounds access.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:42.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59e656d0d4a84ea0ee9a39c6f69160a3effccc94"
},
{
"url": "https://git.kernel.org/stable/c/04bf69e3de435d793a203aacc4b774f8f9f2baeb"
},
{
"url": "https://git.kernel.org/stable/c/011f47c8b8389154f996f5f69da8efc3a3beefef"
},
{
"url": "https://git.kernel.org/stable/c/e5f82688ae10f5f386952e65e941bb8868ee54dc"
},
{
"url": "https://git.kernel.org/stable/c/9b92e2d0eb696d7586ba832c8854653b59887da0"
},
{
"url": "https://git.kernel.org/stable/c/91dd8aab9c9f193210681b86b6b92840ffe74f0c"
},
{
"url": "https://git.kernel.org/stable/c/ae68c0f7edbc9a294094ce03a0aaf45aa489ce40"
},
{
"url": "https://git.kernel.org/stable/c/878ecb0897f4737a4c9401f3523fd49589025671"
}
],
"title": "ipv6: Fix out-of-bounds access in ipv6_find_tlv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53705",
"datePublished": "2025-10-22T13:23:42.641Z",
"dateReserved": "2025-10-22T13:21:37.346Z",
"dateUpdated": "2025-10-22T13:23:42.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35868 (GCVE-0-2024-35868)
Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2026-01-05 10:35
VLAI?
EPSS
Title
smb: client: fix potential UAF in cifs_stats_proc_write()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential UAF in cifs_stats_proc_write()
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7f48558e6489d032b1584b0cc9ac4bb11072c034 , < 8fefd166fcb368c5fcf48238e3f7c8af829e0a72
(git)
Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < cf03020c56d3ed28c4942280957a007b5e9544f7 (git) Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < 5b5475ce69f02ecc1b13ea23106e5b89c690429b (git) Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < d3da25c5ac84430f89875ca7485a3828150a7e0a (git) Affected: a67172a013953664b1dad03c648200c70b90506c (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T19:41:39.676254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:34:13.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.077Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifs_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fefd166fcb368c5fcf48238e3f7c8af829e0a72",
"status": "affected",
"version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
"versionType": "git"
},
{
"lessThan": "cf03020c56d3ed28c4942280957a007b5e9544f7",
"status": "affected",
"version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
"versionType": "git"
},
{
"lessThan": "5b5475ce69f02ecc1b13ea23106e5b89c690429b",
"status": "affected",
"version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
"versionType": "git"
},
{
"lessThan": "d3da25c5ac84430f89875ca7485a3828150a7e0a",
"status": "affected",
"version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
"versionType": "git"
},
{
"status": "affected",
"version": "a67172a013953664b1dad03c648200c70b90506c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifs_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.85",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.48",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:35:35.913Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72"
},
{
"url": "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7"
},
{
"url": "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b"
},
{
"url": "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a"
}
],
"title": "smb: client: fix potential UAF in cifs_stats_proc_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35868",
"datePublished": "2024-05-19T08:34:26.806Z",
"dateReserved": "2024-05-17T13:50:33.108Z",
"dateUpdated": "2026-01-05T10:35:35.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50543 (GCVE-0-2022-50543)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2025-10-07 15:21
VLAI?
EPSS
Title
RDMA/rxe: Fix mr->map double free
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix mr->map double free
rxe_mr_cleanup() which tries to free mr->map again will be called when
rxe_mr_init_user() fails:
CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x5d
panic+0x19e/0x349
end_report.part.0+0x54/0x7c
kasan_report.cold+0xa/0xf
rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]
__rxe_cleanup+0x10a/0x1e0 [rdma_rxe]
rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]
ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]
ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]
This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix
memory leak in error path code") and then we fixed it in commit
8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this
fix was reverted together at last by commit 1e75550648da (Revert
"RDMA/rxe: Create duplicate mapping tables for FMRs")
Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is
successfully allocated.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1e75550648da1fa1cd1969e7597355de8fe8caf6 , < 6ce577f09013206e36e674cd27da3707b2278268
(git)
Affected: 1e75550648da1fa1cd1969e7597355de8fe8caf6 , < 06f73568f553b5be6ba7f6fe274d333ea29fc46d (git) Affected: 1e75550648da1fa1cd1969e7597355de8fe8caf6 , < 7d984dac8f6bf4ebd3398af82b357e1d181ecaac (git) Affected: e004a35e8148ad9fc438b0479884641acf382896 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ce577f09013206e36e674cd27da3707b2278268",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"lessThan": "06f73568f553b5be6ba7f6fe274d333ea29fc46d",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"lessThan": "7d984dac8f6bf4ebd3398af82b357e1d181ecaac",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"status": "affected",
"version": "e004a35e8148ad9fc438b0479884641acf382896",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix mr-\u003emap double free\n\nrxe_mr_cleanup() which tries to free mr-\u003emap again will be called when\nrxe_mr_init_user() fails:\n\n CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x45/0x5d\n panic+0x19e/0x349\n end_report.part.0+0x54/0x7c\n kasan_report.cold+0xa/0xf\n rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]\n __rxe_cleanup+0x10a/0x1e0 [rdma_rxe]\n rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]\n ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]\n ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]\n\nThis issue was firstly exposed since commit b18c7da63fcb (\"RDMA/rxe: Fix\nmemory leak in error path code\") and then we fixed it in commit\n8ff5f5d9d8cf (\"RDMA/rxe: Prevent double freeing rxe_map_set()\") but this\nfix was reverted together at last by commit 1e75550648da (Revert\n\"RDMA/rxe: Create duplicate mapping tables for FMRs\")\n\nSimply let rxe_mr_cleanup() always handle freeing the mr-\u003emap once it is\nsuccessfully allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:07.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ce577f09013206e36e674cd27da3707b2278268"
},
{
"url": "https://git.kernel.org/stable/c/06f73568f553b5be6ba7f6fe274d333ea29fc46d"
},
{
"url": "https://git.kernel.org/stable/c/7d984dac8f6bf4ebd3398af82b357e1d181ecaac"
}
],
"title": "RDMA/rxe: Fix mr-\u003emap double free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50543",
"datePublished": "2025-10-07T15:21:07.939Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:07.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39843 (GCVE-0-2025-39843)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
mm: slub: avoid wake up kswapd in set_track_prepare
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: slub: avoid wake up kswapd in set_track_prepare
set_track_prepare() can incur lock recursion.
The issue is that it is called from hrtimer_start_range_ns
holding the per_cpu(hrtimer_bases)[n].lock, but when enabled
CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,
and try to hold the per_cpu(hrtimer_bases)[n].lock.
Avoid deadlock caused by implicitly waking up kswapd by passing in
allocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the
debug_objects_fill_pool() case. Inside stack depot they are processed by
gfp_nested_mask().
Since ___slab_alloc() has preemption disabled, we mask out
__GFP_DIRECT_RECLAIM from the flags there.
The oops looks something like:
BUG: spinlock recursion on CPU#3, swapper/3/0
lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3
Hardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)
Call trace:
spin_bug+0x0
_raw_spin_lock_irqsave+0x80
hrtimer_try_to_cancel+0x94
task_contending+0x10c
enqueue_dl_entity+0x2a4
dl_server_start+0x74
enqueue_task_fair+0x568
enqueue_task+0xac
do_activate_task+0x14c
ttwu_do_activate+0xcc
try_to_wake_up+0x6c8
default_wake_function+0x20
autoremove_wake_function+0x1c
__wake_up+0xac
wakeup_kswapd+0x19c
wake_all_kswapds+0x78
__alloc_pages_slowpath+0x1ac
__alloc_pages_noprof+0x298
stack_depot_save_flags+0x6b0
stack_depot_save+0x14
set_track_prepare+0x5c
___slab_alloc+0xccc
__kmalloc_cache_noprof+0x470
__set_page_owner+0x2bc
post_alloc_hook[jt]+0x1b8
prep_new_page+0x28
get_page_from_freelist+0x1edc
__alloc_pages_noprof+0x13c
alloc_slab_page+0x244
allocate_slab+0x7c
___slab_alloc+0x8e8
kmem_cache_alloc_noprof+0x450
debug_objects_fill_pool+0x22c
debug_object_activate+0x40
enqueue_hrtimer[jt]+0xdc
hrtimer_start_range_ns+0x5f8
...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5cf909c553e9efed573811de4b3f5172898d5515 , < 994b03b9605d36d814c611385fbf90ca6db20aa8
(git)
Affected: 5cf909c553e9efed573811de4b3f5172898d5515 , < 522ffe298627cfe72539d72167c2e20e72b5e856 (git) Affected: 5cf909c553e9efed573811de4b3f5172898d5515 , < 243b705a90ed8449f561a271cf251fd2e939f3db (git) Affected: 5cf909c553e9efed573811de4b3f5172898d5515 , < eb3240ffd243bfb8b1e9dc568d484ecf9fd660ab (git) Affected: 5cf909c553e9efed573811de4b3f5172898d5515 , < 850470a8413a8a78e772c4f6bd9fe81ec6bd5b0f (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:58.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994b03b9605d36d814c611385fbf90ca6db20aa8",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
},
{
"lessThan": "522ffe298627cfe72539d72167c2e20e72b5e856",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
},
{
"lessThan": "243b705a90ed8449f561a271cf251fd2e939f3db",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
},
{
"lessThan": "eb3240ffd243bfb8b1e9dc568d484ecf9fd660ab",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
},
{
"lessThan": "850470a8413a8a78e772c4f6bd9fe81ec6bd5b0f",
"status": "affected",
"version": "5cf909c553e9efed573811de4b3f5172898d5515",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: avoid wake up kswapd in set_track_prepare\n\nset_track_prepare() can incur lock recursion.\nThe issue is that it is called from hrtimer_start_range_ns\nholding the per_cpu(hrtimer_bases)[n].lock, but when enabled\nCONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,\nand try to hold the per_cpu(hrtimer_bases)[n].lock.\n\nAvoid deadlock caused by implicitly waking up kswapd by passing in\nallocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the\ndebug_objects_fill_pool() case. Inside stack depot they are processed by\ngfp_nested_mask().\nSince ___slab_alloc() has preemption disabled, we mask out\n__GFP_DIRECT_RECLAIM from the flags there.\n\nThe oops looks something like:\n\nBUG: spinlock recursion on CPU#3, swapper/3/0\n lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3\nHardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)\nCall trace:\nspin_bug+0x0\n_raw_spin_lock_irqsave+0x80\nhrtimer_try_to_cancel+0x94\ntask_contending+0x10c\nenqueue_dl_entity+0x2a4\ndl_server_start+0x74\nenqueue_task_fair+0x568\nenqueue_task+0xac\ndo_activate_task+0x14c\nttwu_do_activate+0xcc\ntry_to_wake_up+0x6c8\ndefault_wake_function+0x20\nautoremove_wake_function+0x1c\n__wake_up+0xac\nwakeup_kswapd+0x19c\nwake_all_kswapds+0x78\n__alloc_pages_slowpath+0x1ac\n__alloc_pages_noprof+0x298\nstack_depot_save_flags+0x6b0\nstack_depot_save+0x14\nset_track_prepare+0x5c\n___slab_alloc+0xccc\n__kmalloc_cache_noprof+0x470\n__set_page_owner+0x2bc\npost_alloc_hook[jt]+0x1b8\nprep_new_page+0x28\nget_page_from_freelist+0x1edc\n__alloc_pages_noprof+0x13c\nalloc_slab_page+0x244\nallocate_slab+0x7c\n___slab_alloc+0x8e8\nkmem_cache_alloc_noprof+0x450\ndebug_objects_fill_pool+0x22c\ndebug_object_activate+0x40\nenqueue_hrtimer[jt]+0xdc\nhrtimer_start_range_ns+0x5f8\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:52.386Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994b03b9605d36d814c611385fbf90ca6db20aa8"
},
{
"url": "https://git.kernel.org/stable/c/522ffe298627cfe72539d72167c2e20e72b5e856"
},
{
"url": "https://git.kernel.org/stable/c/243b705a90ed8449f561a271cf251fd2e939f3db"
},
{
"url": "https://git.kernel.org/stable/c/eb3240ffd243bfb8b1e9dc568d484ecf9fd660ab"
},
{
"url": "https://git.kernel.org/stable/c/850470a8413a8a78e772c4f6bd9fe81ec6bd5b0f"
}
],
"title": "mm: slub: avoid wake up kswapd in set_track_prepare",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39843",
"datePublished": "2025-09-19T15:26:17.758Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:58.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38724 (GCVE-0-2025-38724)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2025-11-03 17:41
VLAI?
EPSS
Title
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
race with a confirmed client expiring and fail to get a reference. That
could later lead to a UAF.
Fix this by getting a reference early in the case where there is an
extant confirmed client. If that fails then treat it as if there were no
confirmed client found at all.
In the case where the unconfirmed client is expiring, just fail and
return the result from get_client_locked().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 3f252a73e81aa01660cb426735eab932e6182e8d
(git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < d35ac850410966010e92f401f4e21868a9ea4d8b (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < f3aac6cf390d8b80e1d82975faf4ac61175519c0 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 22f45cedf281e6171817c8a3432c44d788c550e1 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < d71abd1ae4e0413707cd42b10c24a11d1aa71772 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 74ad36ed60df561a303a19ecef400c7096b20306 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 36e83eda90e0e4ac52f259f775b40b2841f8a0a3 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 908e4ead7f757504d8b345452730636e298cbf68 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:53.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f252a73e81aa01660cb426735eab932e6182e8d",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "d35ac850410966010e92f401f4e21868a9ea4d8b",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "f3aac6cf390d8b80e1d82975faf4ac61175519c0",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "22f45cedf281e6171817c8a3432c44d788c550e1",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "d71abd1ae4e0413707cd42b10c24a11d1aa71772",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "74ad36ed60df561a303a19ecef400c7096b20306",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "36e83eda90e0e4ac52f259f775b40b2841f8a0a3",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "908e4ead7f757504d8b345452730636e298cbf68",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\n\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\n\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:49.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f252a73e81aa01660cb426735eab932e6182e8d"
},
{
"url": "https://git.kernel.org/stable/c/d35ac850410966010e92f401f4e21868a9ea4d8b"
},
{
"url": "https://git.kernel.org/stable/c/f3aac6cf390d8b80e1d82975faf4ac61175519c0"
},
{
"url": "https://git.kernel.org/stable/c/22f45cedf281e6171817c8a3432c44d788c550e1"
},
{
"url": "https://git.kernel.org/stable/c/d71abd1ae4e0413707cd42b10c24a11d1aa71772"
},
{
"url": "https://git.kernel.org/stable/c/74ad36ed60df561a303a19ecef400c7096b20306"
},
{
"url": "https://git.kernel.org/stable/c/36e83eda90e0e4ac52f259f775b40b2841f8a0a3"
},
{
"url": "https://git.kernel.org/stable/c/571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1"
},
{
"url": "https://git.kernel.org/stable/c/908e4ead7f757504d8b345452730636e298cbf68"
}
],
"title": "nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38724",
"datePublished": "2025-09-04T15:33:22.370Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:53.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39925 (GCVE-0-2025-39925)
Vulnerability from cvelistv5 – Published: 2025-10-01 08:07 – Updated: 2026-01-14 17:42
VLAI?
EPSS
Title
can: j1939: implement NETDEV_UNREGISTER notification handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: implement NETDEV_UNREGISTER notification handler
syzbot is reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
problem, for j1939 protocol did not have NETDEV_UNREGISTER notification
handler for undoing changes made by j1939_sk_bind().
Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But we need to call
j1939_priv_put() against an extra ref held by j1939_sk_bind() call
(as a part of undoing changes made by j1939_sk_bind()) as soon as
NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()
is called via j1939_sk_release()). Otherwise, the extra ref on "struct
j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from
dropping the usage count to 1; making it impossible for
unregister_netdevice() to continue.
[mkl: remove space in front of label]
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39925",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:39:05.628974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:42:45.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da9e8f429139928570407e8f90559b5d46c20262",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: implement NETDEV_UNREGISTER notification handler\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\nproblem, for j1939 protocol did not have NETDEV_UNREGISTER notification\nhandler for undoing changes made by j1939_sk_bind().\n\nCommit 25fe97cb7620 (\"can: j1939: move j1939_priv_put() into sk_destruct\ncallback\") expects that a call to j1939_priv_put() can be unconditionally\ndelayed until j1939_sk_sock_destruct() is called. But we need to call\nj1939_priv_put() against an extra ref held by j1939_sk_bind() call\n(as a part of undoing changes made by j1939_sk_bind()) as soon as\nNETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()\nis called via j1939_sk_release()). Otherwise, the extra ref on \"struct\nj1939_priv\" held by j1939_sk_bind() call prevents \"struct net_device\" from\ndropping the usage count to 1; making it impossible for\nunregister_netdevice() to continue.\n\n[mkl: remove space in front of label]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:13.123Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da9e8f429139928570407e8f90559b5d46c20262"
},
{
"url": "https://git.kernel.org/stable/c/7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a"
}
],
"title": "can: j1939: implement NETDEV_UNREGISTER notification handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39925",
"datePublished": "2025-10-01T08:07:13.123Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2026-01-14T17:42:45.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39840 (GCVE-0-2025-39840)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
audit: fix out-of-bounds read in audit_compare_dname_path()
Summary
In the Linux kernel, the following vulnerability has been resolved:
audit: fix out-of-bounds read in audit_compare_dname_path()
When a watch on dir=/ is combined with an fsnotify event for a
single-character name directly under / (e.g., creating /a), an
out-of-bounds read can occur in audit_compare_dname_path().
The helper parent_len() returns 1 for "/". In audit_compare_dname_path(),
when parentlen equals the full path length (1), the code sets p = path + 1
and pathlen = 1 - 1 = 0. The subsequent loop then dereferences
p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.
Fix this by adding a pathlen > 0 check to the while loop condition
to prevent the out-of-bounds access.
[PM: subject tweak, sign-off email fixes]
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:20:33.496174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:12.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/auditfilter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9735a9dcc307427e7d6336c54171682f1bac9789",
"status": "affected",
"version": "e92eebb0d6116f942ab25dfb1a41905aa59472a8",
"versionType": "git"
},
{
"lessThan": "4540f1d23e7f387880ce46d11b5cd3f27248bf8d",
"status": "affected",
"version": "e92eebb0d6116f942ab25dfb1a41905aa59472a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/auditfilter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: fix out-of-bounds read in audit_compare_dname_path()\n\nWhen a watch on dir=/ is combined with an fsnotify event for a\nsingle-character name directly under / (e.g., creating /a), an\nout-of-bounds read can occur in audit_compare_dname_path().\n\nThe helper parent_len() returns 1 for \"/\". In audit_compare_dname_path(),\nwhen parentlen equals the full path length (1), the code sets p = path + 1\nand pathlen = 1 - 1 = 0. The subsequent loop then dereferences\np[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.\n\nFix this by adding a pathlen \u003e 0 check to the while loop condition\nto prevent the out-of-bounds access.\n\n[PM: subject tweak, sign-off email fixes]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:45.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9735a9dcc307427e7d6336c54171682f1bac9789"
},
{
"url": "https://git.kernel.org/stable/c/4540f1d23e7f387880ce46d11b5cd3f27248bf8d"
}
],
"title": "audit: fix out-of-bounds read in audit_compare_dname_path()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39840",
"datePublished": "2025-09-19T15:26:15.596Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2026-01-14T19:23:12.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39982 (GCVE-0-2025-39982)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-10-15 07:56
VLAI?
EPSS
Title
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
This fixes the following UFA in hci_acl_create_conn_sync where a
connection still pending is command submission (conn->state == BT_OPEN)
maybe freed, also since this also can happen with the likes of
hci_le_create_conn_sync fix it as well:
BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
Write of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541
CPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci3 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 123736:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
__hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939
hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]
hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634
pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x54b/0xa90 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 103680:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x18e/0x440 mm/slub.c:4842
device_release+0x9c/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x22b/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173
hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199
hci_event_func net/bluetooth/hci_event.c:7477 [inline]
hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < 6243bda271a628c48875e3e473206e7f584892ce
(git)
Affected: aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < bcce99f613163a43de24674b717e7a6c135fc879 (git) Affected: aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < 484c7d571a3d1b3fd298fa691b660438c4548a53 (git) Affected: aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08 (git) Affected: aef2aa4fa98e18ea5d9345bf777ee698c8598728 , < 9e622804d57e2d08f0271200606bd1270f75126f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6243bda271a628c48875e3e473206e7f584892ce",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "bcce99f613163a43de24674b717e7a6c135fc879",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "484c7d571a3d1b3fd298fa691b660438c4548a53",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "9e622804d57e2d08f0271200606bd1270f75126f",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync\n\nThis fixes the following UFA in hci_acl_create_conn_sync where a\nconnection still pending is command submission (conn-\u003estate == BT_OPEN)\nmaybe freed, also since this also can happen with the likes of\nhci_le_create_conn_sync fix it as well:\n\nBUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\nWrite of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541\n\nCPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci3 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x230 mm/kasan/report.c:480\n kasan_report+0x118/0x150 mm/kasan/report.c:593\n hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 123736:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939\n hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]\n hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634\n pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x54b/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 103680:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4643 [inline]\n kfree+0x18e/0x440 mm/slub.c:4842\n device_release+0x9c/0x1c0\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x22b/0x480 lib/kobject.c:737\n hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]\n hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173\n hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199\n hci_event_func net/bluetooth/hci_event.c:7477 [inline]\n hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531\n hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:02.024Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6243bda271a628c48875e3e473206e7f584892ce"
},
{
"url": "https://git.kernel.org/stable/c/bcce99f613163a43de24674b717e7a6c135fc879"
},
{
"url": "https://git.kernel.org/stable/c/484c7d571a3d1b3fd298fa691b660438c4548a53"
},
{
"url": "https://git.kernel.org/stable/c/a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08"
},
{
"url": "https://git.kernel.org/stable/c/9e622804d57e2d08f0271200606bd1270f75126f"
}
],
"title": "Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39982",
"datePublished": "2025-10-15T07:56:02.024Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:02.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39981 (GCVE-0-2025-39981)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:56 – Updated: 2025-11-24 09:49
VLAI?
EPSS
Title
Bluetooth: MGMT: Fix possible UAFs
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix possible UAFs
This attemps to fix possible UAFs caused by struct mgmt_pending being
freed while still being processed like in the following trace, in order
to fix mgmt_pending_valid is introduce and use to check if the
mgmt_pending hasn't been removed from the pending list, on the complete
callbacks it is used to check and in addtion remove the cmd from the list
while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
is left on the list it can still be accessed and freed.
BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 12210:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
__add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
sock_write_iter+0x258/0x330 net/socket.c:1133
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 12221:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4648 [inline]
kfree+0x18e/0x440 mm/slub.c:4847
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
__mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
sock_do_ioctl+0xd9/0x300 net/socket.c:1192
sock_ioctl+0x576/0x790 net/socket.c:1313
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cf75ad8b41d2aa06f98f365d42a3ae8b059daddd , < d71b98f253b079cbadc83266383f26fe7e9e103b
(git)
Affected: cf75ad8b41d2aa06f98f365d42a3ae8b059daddd , < 87a1f16f07c6c43771754075e08f45b41d237421 (git) Affected: cf75ad8b41d2aa06f98f365d42a3ae8b059daddd , < 302a1f674c00dd5581ab8e493ef44767c5101aab (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c",
"net/bluetooth/mgmt_util.c",
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d71b98f253b079cbadc83266383f26fe7e9e103b",
"status": "affected",
"version": "cf75ad8b41d2aa06f98f365d42a3ae8b059daddd",
"versionType": "git"
},
{
"lessThan": "87a1f16f07c6c43771754075e08f45b41d237421",
"status": "affected",
"version": "cf75ad8b41d2aa06f98f365d42a3ae8b059daddd",
"versionType": "git"
},
{
"lessThan": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"status": "affected",
"version": "cf75ad8b41d2aa06f98f365d42a3ae8b059daddd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c",
"net/bluetooth/mgmt_util.c",
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix possible UAFs\n\nThis attemps to fix possible UAFs caused by struct mgmt_pending being\nfreed while still being processed like in the following trace, in order\nto fix mgmt_pending_valid is introduce and use to check if the\nmgmt_pending hasn\u0027t been removed from the pending list, on the complete\ncallbacks it is used to check and in addtion remove the cmd from the list\nwhile holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd\nis left on the list it can still be accessed and freed.\n\nBUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\nRead of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55\n\nCPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 12210:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247\n add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n sock_write_iter+0x258/0x330 net/socket.c:1133\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 12221:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4648 [inline]\n kfree+0x18e/0x440 mm/slub.c:4847\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444\n hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290\n hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]\n hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526\n sock_do_ioctl+0xd9/0x300 net/socket.c:1192\n sock_ioctl+0x576/0x790 net/socket.c:1313\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T09:49:54.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d71b98f253b079cbadc83266383f26fe7e9e103b"
},
{
"url": "https://git.kernel.org/stable/c/87a1f16f07c6c43771754075e08f45b41d237421"
},
{
"url": "https://git.kernel.org/stable/c/302a1f674c00dd5581ab8e493ef44767c5101aab"
}
],
"title": "Bluetooth: MGMT: Fix possible UAFs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39981",
"datePublished": "2025-10-15T07:56:00.959Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-11-24T09:49:54.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53322 (GCVE-0-2023-53322)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-01-14 18:32
VLAI?
EPSS
Title
scsi: qla2xxx: Wait for io return on terminate rport
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Wait for io return on terminate rport
System crash due to use after free.
Current code allows terminate_rport_io to exit before making
sure all IOs has returned. For FCP-2 device, IO's can hang
on in HW because driver has not tear down the session in FW at
first sign of cable pull. When dev_loss_tmo timer pops,
terminate_rport_io is called and upper layer is about to
free various resources. Terminate_rport_io trigger qla to do
the final cleanup, but the cleanup might not be fast enough where it
leave qla still holding on to the same resource.
Wait for IO's to return to upper layer before resources are freed.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
715848ca6fffeb6362a50887d9c26245bd5dfba9 , < 8a55556cd7e0220486163b1285ce11a8be2ce5fa
(git)
Affected: 715848ca6fffeb6362a50887d9c26245bd5dfba9 , < 4647d2e88918a078359d1532d90c417a38542c9e (git) Affected: 715848ca6fffeb6362a50887d9c26245bd5dfba9 , < d25fded78d88e1515439b3ba581684d683e0b6ab (git) Affected: 715848ca6fffeb6362a50887d9c26245bd5dfba9 , < a9fe97fb7b4ee21bffb76f2acb05769bad27ae70 (git) Affected: 715848ca6fffeb6362a50887d9c26245bd5dfba9 , < 079c8264ed9fea8cbcac01ad29040f901cbc3692 (git) Affected: 715848ca6fffeb6362a50887d9c26245bd5dfba9 , < 90770dad1eb30967ebd8d37d82830bcf270b3293 (git) Affected: 715848ca6fffeb6362a50887d9c26245bd5dfba9 , < 5bcdaafd92be6035ddc77fa76650cf9dd5b864c4 (git) Affected: 715848ca6fffeb6362a50887d9c26245bd5dfba9 , < fc0cba0c7be8261a1625098bd1d695077ec621c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:27:44.366496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:32:58.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a55556cd7e0220486163b1285ce11a8be2ce5fa",
"status": "affected",
"version": "715848ca6fffeb6362a50887d9c26245bd5dfba9",
"versionType": "git"
},
{
"lessThan": "4647d2e88918a078359d1532d90c417a38542c9e",
"status": "affected",
"version": "715848ca6fffeb6362a50887d9c26245bd5dfba9",
"versionType": "git"
},
{
"lessThan": "d25fded78d88e1515439b3ba581684d683e0b6ab",
"status": "affected",
"version": "715848ca6fffeb6362a50887d9c26245bd5dfba9",
"versionType": "git"
},
{
"lessThan": "a9fe97fb7b4ee21bffb76f2acb05769bad27ae70",
"status": "affected",
"version": "715848ca6fffeb6362a50887d9c26245bd5dfba9",
"versionType": "git"
},
{
"lessThan": "079c8264ed9fea8cbcac01ad29040f901cbc3692",
"status": "affected",
"version": "715848ca6fffeb6362a50887d9c26245bd5dfba9",
"versionType": "git"
},
{
"lessThan": "90770dad1eb30967ebd8d37d82830bcf270b3293",
"status": "affected",
"version": "715848ca6fffeb6362a50887d9c26245bd5dfba9",
"versionType": "git"
},
{
"lessThan": "5bcdaafd92be6035ddc77fa76650cf9dd5b864c4",
"status": "affected",
"version": "715848ca6fffeb6362a50887d9c26245bd5dfba9",
"versionType": "git"
},
{
"lessThan": "fc0cba0c7be8261a1625098bd1d695077ec621c9",
"status": "affected",
"version": "715848ca6fffeb6362a50887d9c26245bd5dfba9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Wait for io return on terminate rport\n\nSystem crash due to use after free.\nCurrent code allows terminate_rport_io to exit before making\nsure all IOs has returned. For FCP-2 device, IO\u0027s can hang\non in HW because driver has not tear down the session in FW at\nfirst sign of cable pull. When dev_loss_tmo timer pops,\nterminate_rport_io is called and upper layer is about to\nfree various resources. Terminate_rport_io trigger qla to do\nthe final cleanup, but the cleanup might not be fast enough where it\nleave qla still holding on to the same resource.\n\nWait for IO\u0027s to return to upper layer before resources are freed."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:19:27.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a55556cd7e0220486163b1285ce11a8be2ce5fa"
},
{
"url": "https://git.kernel.org/stable/c/4647d2e88918a078359d1532d90c417a38542c9e"
},
{
"url": "https://git.kernel.org/stable/c/d25fded78d88e1515439b3ba581684d683e0b6ab"
},
{
"url": "https://git.kernel.org/stable/c/a9fe97fb7b4ee21bffb76f2acb05769bad27ae70"
},
{
"url": "https://git.kernel.org/stable/c/079c8264ed9fea8cbcac01ad29040f901cbc3692"
},
{
"url": "https://git.kernel.org/stable/c/90770dad1eb30967ebd8d37d82830bcf270b3293"
},
{
"url": "https://git.kernel.org/stable/c/5bcdaafd92be6035ddc77fa76650cf9dd5b864c4"
},
{
"url": "https://git.kernel.org/stable/c/fc0cba0c7be8261a1625098bd1d695077ec621c9"
}
],
"title": "scsi: qla2xxx: Wait for io return on terminate rport",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53322",
"datePublished": "2025-09-16T16:11:58.062Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2026-01-14T18:32:58.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53401 (GCVE-0-2023-53401)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 19:03
VLAI?
EPSS
Title
mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()
KCSAN found an issue in obj_stock_flush_required():
stock->cached_objcg can be reset between the check and dereference:
==================================================================
BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock
write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:
drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306
refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340
obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408
memcg_slab_free_hook mm/slab.h:587 [inline]
__cache_free mm/slab.c:3373 [inline]
__do_kmem_cache_free mm/slab.c:3577 [inline]
kmem_cache_free+0x105/0x280 mm/slab.c:3602
__d_free fs/dcache.c:298 [inline]
dentry_free fs/dcache.c:375 [inline]
__dentry_kill+0x422/0x4a0 fs/dcache.c:621
dentry_kill+0x8d/0x1e0
dput+0x118/0x1f0 fs/dcache.c:913
__fput+0x3bf/0x570 fs/file_table.c:329
____fput+0x15/0x20 fs/file_table.c:349
task_work_run+0x123/0x160 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171
exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:
obj_stock_flush_required mm/memcontrol.c:3319 [inline]
drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361
try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703
try_charge mm/memcontrol.c:2837 [inline]
mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290
sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025
sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525
udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692
udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668
__sys_setsockopt+0x1c3/0x230 net/socket.c:2271
__do_sys_setsockopt net/socket.c:2282 [inline]
__se_sys_setsockopt net/socket.c:2279 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2279
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0xffff8881382d52c0 -> 0xffff888138893740
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Fix it by using READ_ONCE()/WRITE_ONCE() for all accesses to
stock->cached_objcg.
Severity ?
4.7 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bf4f059954dcb221384b2f784677e19a13cd4bdb , < 33d9490b27e5d8da4444aefd714a4f50189db978
(git)
Affected: bf4f059954dcb221384b2f784677e19a13cd4bdb , < 33391c7e1a2ad612bf3922cc168cb09a46bbe236 (git) Affected: bf4f059954dcb221384b2f784677e19a13cd4bdb , < 3b8abb3239530c423c0b97e42af7f7e856e1ee96 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:01:39.705657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:03:06.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memcontrol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33d9490b27e5d8da4444aefd714a4f50189db978",
"status": "affected",
"version": "bf4f059954dcb221384b2f784677e19a13cd4bdb",
"versionType": "git"
},
{
"lessThan": "33391c7e1a2ad612bf3922cc168cb09a46bbe236",
"status": "affected",
"version": "bf4f059954dcb221384b2f784677e19a13cd4bdb",
"versionType": "git"
},
{
"lessThan": "3b8abb3239530c423c0b97e42af7f7e856e1ee96",
"status": "affected",
"version": "bf4f059954dcb221384b2f784677e19a13cd4bdb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memcontrol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()\n\nKCSAN found an issue in obj_stock_flush_required():\nstock-\u003ecached_objcg can be reset between the check and dereference:\n\n==================================================================\nBUG: KCSAN: data-race in drain_all_stock / drain_obj_stock\n\nwrite to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:\n drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306\n refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340\n obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408\n memcg_slab_free_hook mm/slab.h:587 [inline]\n __cache_free mm/slab.c:3373 [inline]\n __do_kmem_cache_free mm/slab.c:3577 [inline]\n kmem_cache_free+0x105/0x280 mm/slab.c:3602\n __d_free fs/dcache.c:298 [inline]\n dentry_free fs/dcache.c:375 [inline]\n __dentry_kill+0x422/0x4a0 fs/dcache.c:621\n dentry_kill+0x8d/0x1e0\n dput+0x118/0x1f0 fs/dcache.c:913\n __fput+0x3bf/0x570 fs/file_table.c:329\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x123/0x160 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296\n do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:\n obj_stock_flush_required mm/memcontrol.c:3319 [inline]\n drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361\n try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703\n try_charge mm/memcontrol.c:2837 [inline]\n mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290\n sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025\n sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525\n udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692\n udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817\n sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668\n __sys_setsockopt+0x1c3/0x230 net/socket.c:2271\n __do_sys_setsockopt net/socket.c:2282 [inline]\n __se_sys_setsockopt net/socket.c:2279 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0xffff8881382d52c0 -\u003e 0xffff888138893740\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023\n\nFix it by using READ_ONCE()/WRITE_ONCE() for all accesses to\nstock-\u003ecached_objcg."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:41.076Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33d9490b27e5d8da4444aefd714a4f50189db978"
},
{
"url": "https://git.kernel.org/stable/c/33391c7e1a2ad612bf3922cc168cb09a46bbe236"
},
{
"url": "https://git.kernel.org/stable/c/3b8abb3239530c423c0b97e42af7f7e856e1ee96"
}
],
"title": "mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53401",
"datePublished": "2025-09-18T13:33:41.076Z",
"dateReserved": "2025-09-17T14:54:09.738Z",
"dateUpdated": "2026-01-14T19:03:06.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…